designerswhoisit

ARTICLE29-DATAPROTECTIONWORKINGPARTYTheWorkingPartyhasbeenestablishedbyArticle29ofDirective95/46/EC.
ItistheindependentEUAdvisoryBodyonDataProtectionandPrivacy.
ItstasksarelaiddowninArticle30ofDirective95/46/ECandinArticle14ofDirective97/66/EC.
TheSecretariatisprovidedby:TheEuropeanCommission,InternalMarketDG,UnitFreeflowofinformationanddataprotection.
RuedelaLoi200,B-1049Bruxelles/Wetstraat200,B-1049Brussel-Belgium-Office:C100-2/133Internetaddress:www.
europa.
eu.
int/comm/dg15/en/media/dataprot/index/htm5063/00/EN/FINALWP37WorkingDocumentPrivacyontheInternet-AnintegratedEUApproachtoOn-lineDataProtection-Adoptedon21stNovember20002CHAPTER1:INTRODUCTION6CHAPTER2:INTERNETTECHNICALDESCRIPTION8I.
BASICS8MORESOPHISTICATEDPROTOCOLSUSINGTCP/IP10II.
ACTORSINVOLVEDINTHEINTERNET11TELECOMMUNICATIONSOPERATOR11INTERNETACCESSPROVIDER11INTERNETSERVICEPROVIDER12THEUSER12III.
SERVICESAVAILABLEONTHEINTERNET12E-MAIL13NEWSGROUPS13CHATROOMS13WORLDWIDEWEB13IV.
PRIVACYRISKS13PRIVACYRISKSINHERENTINTHEUSEOFTHETCP/IPPROTOCOL13PRIVACYRISKSINHERENTINTHEUSEOFHIGHLEVELPROTOCOLS14Thebrowser'schattering14Invisiblehyperlinks15Cookies16PRIVACYRISKSLINKEDWITHIMPLEMENTATIONOFTHEHTTPPROTOCOLINCOMMONBROWSERS17V.
SOMEECONOMICCONSIDERATIONS17VI.
CONCLUSIONS19CHAPTER3:APPLICATIONOFDATAPROTECTIONLEGISLATION21I.
GENERALLEGALCONSIDERATIONS21PERSONALDATAONTHEINTERNET21APPLICATIONOFTHEDIRECTIVES21Telecomsprovider23InternetServiceProviders(alsoincludingAccessProviders)23Regularwebsites24Portalservices24Additionalservices24II.
THEREVISIONOFTHETELECOMSDIRECTIVE:THEDEFINITIONOF"ELECTRONICCOMMUNICATIONSERVICES"25III.
OTHERLEGALPROVISIONSAPPLICABLE27IV.
APPLICATIONOFNATIONALDATAPROTECTIONLEGISLATIONANDITSINTERNATIONALEFFECTS28V.
CONCLUSIONS28CHAPTER4:ELECTRONICMAIL30I.
INTRODUCTION30II.
ACTORS30III.
TECHNICALDESCRIPTION30THEPROCESSOFSENDINGANE-MAIL313E-MAILADDRESSES31E-MAILPROTOCOLS31IV.
PRIVACYRISKS32COLLECTIONOFE-MAILADDRESSES32TRAFFICDATA32E-MAILCONTENT33V.
ANALYSISOFSPECIALISSUES36WEBMAIL36DIRECTORIES36SPAM36VI.
CONFIDENTIALITY,SECURITYASPECTS38VII.
PRIVACY-ENHANCINGMEASURES38VIII.
CONCLUSIONS39INVISIBLEPROCESSINGPERFORMEDBY"MAILCLIENTS"ANDSMTPRELAYS39PRESERVATIONOFTRAFFICDATABYINTERMEDIARIESANDMAILSERVICEPROVIDERS39INTERCEPTION39STORINGANDSCANNINGOFE-MAILCONTENT40UNSOLICITEDE-MAILS(SPAM)40E-MAILDIRECTORIES40CHAPTER5:SURFINGANDSEARCHING41I.
INTRODUCTION41II.
TECHNICALDESCRIPTIONANDACTORSINVOLVED41THEPROCESSOFWEBSURFING41SURFINGFROMTHEPERSPECTIVEOFTHEINTERNETUSER43OVERVIEWOFTHEMOSTRELEVANTDATAGENERATEDANDSTOREDINDIFFERENTPARTSOFTHEWEBSURFINGPROCESS44III.
PRIVACYRISKS44NEWMONITORINGSOFTWARE45IV.
LEGALANALYSIS46MAINPROVISIONSOFTHEGENERALDIRECTIVE95/46/EC:FINALITYPRINCIPLE,FAIRPROCESSINGANDINFORMATIONTOTHEDATASUBJECT47Informationtothedatasubject47Finalityprinciple48Fairprocessing48MAINPROVISIONSOFTHESPECIFICPRIVACYANDTELECOMMUNICATIONSDIRECTIVE49Article4:Security49Article5:Confidentiality50Article6:Trafficandbillingdata50Article8:Callingandconnectedlineidentification51V.
PRIVACY-ENHANCINGMEASURES52VI.
CONCLUSIONS53CHAPTER6:PUBLICATIONSANDFORA54I.
INTRODUCTION54II.
TECHNICALDESCRIPTION54Newsgroups54Chats54PUBLICATIONSANDDIRECTORIES55III.
PRIVACYRISKS55PUBLICDISCUSSIONFORA55PUBLICATIONSANDDIRECTORIES57IV.
LEGALANALYSIS584PUBLICFORA58PUBLICATIONSANDDIRECTORIES59V.
PRIVACYENHANCINGMEASURES60ANONYMITYONPUBLICFORA60SYSTEMATICINDEXATIONOFDATA61ON-LINEACCESSTOPUBLICINFORMATION61VI.
CONCLUSIONS62CHAPTER7:ELECTRONICTRANSACTIONSONTHEINTERNET63I.
INTRODUCTION63II.
ACTORS63III.
SECUREPAYMENTS65IV.
PRIVACYRISKS66V.
LEGALANALYSIS69LAWFULNESSOFTHEPROCESSING:FINALITYPRINCIPLE(ARTICLES5-7OFDIRECTIVE95/46/EC)69INFORMATIONTOTHEDATASUBJECT(ARTICLE10OFDIRECTIVE95/46/EC)70PRESERVATIONOFPERSONAL/TRAFFICDATA(ARTICLE6OFDIRECTIVE95/46/ECANDARTICLE6OFDIRECTIVE97/66/EC)70AUTOMATEDINDIVIDUALDECISIONS(ARTICLE15OFDIRECTIVE95/46/EC)71RIGHTSOFTHEDATASUBJECTS(ARTICLE12OFDIRECTIVE95/46/EC)71OBLIGATIONSOFTHEDATACONTROLLER:CONFIDENTIALITYANDSECURITY(ARTICLES16AND17OFDIRECTIVE95/46/ECAND4AND5OFDIRECTIVE97/66/EC)71APPLICABLELAW(ARTICLE4OFDIRECTIVE95/46/EC)71VI.
CONCLUSIONS72CHAPTER8:CYBERMARKETING73I.
INTRODUCTION73II.
TECHNICALDESCRIPTION73ONLINEPROFILINGANDADVERTISING73ELECTRONICMAILING74III.
LEGALANALYSIS75THEDATAPROTECTIONDIRECTIVE75THEDISTANCESELLINGDIRECTIVE75THESPECIFICPRIVACYANDTELECOMMUNICATIONSDIRECTIVE75THEE-COMMERCEDIRECTIVE76IV.
CONCLUSIONS76ONLINEPROFILINGANDADVERTISING76ELECTRONICMAILING77CHAPTER9:PRIVACY-ENHANCINGMEASURES79I.
INTRODUCTION79II.
PRIVACY-ENHANCINGTECHNOLOGIES79COOKIESKILLERS79Thecookieoppositionmechanismsusedbytheindustry80Independentprograms81PROXYSERVERS81ANONYMISATIONSOFTWARE81E-MAILFILTERSANDANONYMOUSE-MAIL83INFOMEDIARIES835III.
OTHERPRIVACY-ENHANCINGMEASURES84P3P84THELABELLINGOFPRIVACY85IV.
CONCLUSIONS86CHAPTER10:CONCLUSIONS88GLOSSARYOFTECHNICALTERMS936CHAPTER1:INTRODUCTIONThisdocumentaimsatofferinganintegratedEUapproachregardingtheissueofon-linedataprotection.
Theword"integrated"underlinesthefactthatthisanalysismainlydepartsfromthetextsofboththegeneraldataprotectiondirective(Directive95/46/EC)andtheprivacyandtelecommunicationsdirective(Directive97/66/EC)butalsotakesintoaccountandbringstogetherallopinionsanddocumentsadoptedbytheWorkingPartyuptonowoncertaincriticalissueswhicharerelatedtothisissue1.
TheWorkingPartyhasstatedinseveraloccasionsinthepast,whendiscussingtheprioritiesforfuturework,thenecessityofdealingwithdataprotectionissuesrelatedtotheuseofInternet.
Inordertodealwiththeseissuesinasystematicandefficientwaytheso-calledInternetTaskForce(ITF)wascreatedin1999.
ThemainpurposeoftheITFistobringtogetherresourcesandexpertisefromdifferentnationalDataProtectionAuthoritieswiththeaimofcontributingtotheuniforminterpretationandapplicationoftheexistinglegalframeworkinthisfield.
TheITFhasdraftedseveralpapersthathavebeenadoptedbytheWorkingPartyduringthelasttwoyears.
Fromthebeginningof2000ontheITFhasintensifiedthefrequencyofitsmeetingswithaviewtoachievingasresultasynthesispaperthatcanserveasreferenceforaddressingpresentand,totheextentpossible,futureInternetprivacyissues.
Themainobjectiveofthisdocumentistoofferafirstapproachtotheissueofon-lineprivacythatcanservetoraiseawarenessconcerningtheprivacyrisksrelatedtotheuseoftheInternetandthatcanatthesametimeofferguidanceintheinterpretationofbothdirectivesinthisfield.
TheWorkingPartyisawareofthefactthatprivacyishighonthelistofwebusers'concerns2.
ItisthereforeespeciallyimportantfortheWorkingPartytoaddressthisissuewhilebeingawareofthefactthatsomecontroversialissues,raisingparticulardebate,mightrequirefuturework.
-ThisdocumentisnotintendedtobeexhaustiveinitselfbutaimstocoverthemosttypicalsituationswhichInternetuserscanfacewhenusinganyoftheservicesavailableintheNet(suchase-mail,surfing,searching,newsgroups,etc.
)Becauseofitsgeneralcharacter,itdoesnotdealwithspecificissuesthatmightdeservefurtherstudybytheWorkingPartyinthefuture,suchasforinstance,thecontrolofthee-mailintheworking1Inparticular:Opinion1/98:PlatformforPrivacyPreferences(P3P)andtheOpenProfilingStandard(OPS)adoptedbytheWorkingPartyontheProtectionofIndividualswithregardtotheProcessingofPersonalDataonJune16,1998;Workingdocument:ProcessingofPersonalDataontheInternet,adoptedbytheWorkingPartyon23February1999,WP16,5013/99/EN/final;Recommendation1/99onInvisibleandAutomaticProcessingofPersonalDataontheInternetPerformedbySoftwareandHardware,adoptedbytheWorkingPartyon23February1999,5093/98/EN/final,WP17;Recommendation2/99ontherespectofprivacyinthecontextofinterceptionoftelecommunications,adoptedon3May1999,5005/99/final,WP18;Opinionn°3/99onpublicsectorinformationandtheprotectionofpersonaldata,adoptedbytheWorkingPartyon3May1999;Recommendation3/99onthepreservationoftrafficdatabyInternetServiceProvidersforlawenforcementpurposes,adoptedon7September1999,5085/99/EN/final,WP25;Opinion1/2000oncertaindataprotectionaspectsofelectroniccommerce,PresentedbytheInternetTaskForce,Adoptedon3rdFebruary2000,5007/00/EN/final,WP28;Opinion2/2000concerningthegeneralreviewofthetelecommunicationslegalframework,presentedbytheInternetTaskForce,adoptedon3rdFebruary2000,WP29,5009/00/EN/final;Opinion5/2000ontheuseofpublicdirectoriesforreverseormulti-criteriasearchingservices(reversedirectories),WP33,adoptedon13thJuly2000andOpinion7/2000ontheEuropeanCommissionProposalforaDirectiveoftheEuropeanParliamentandtheCouncilconcerningtheprocessingofpersonaldataandtheprotectionofprivacyinthetelecommunicationssectorof12July2000COM(2000)385,adoptedon2November2000,WP36.
.
2Thisispointedoutinasix-monthstudyjustreleasedbytheMarkleFoundation.
SeeArticlebyAARON,D.
,AEuro-AmericanproposalforprivacyontheNet,WashingtonPost,August2,2000.
7place.
ThisworkingdocumentisbasedonthepresentstateoftheartoftheInternet,whichisbynatureaverydynamicandevolvingphenomenon.
Inordertofacilitatethereading,theworkingdocumentdealsfirstwiththebasictechnicaldescriptionandthegenerallegalissues.
Afterthat,alldifferentInternetservicesareaddressedseparatelycoveringineachchapterboththetechnicalandlegalissuesatstake.
Aspecificchapterisdedicatedtoprivacy-enhancingmeasuresandtechnologiesthatcanbeusedtoincreasetheprivacyoftheInternetusers.
Alastchapterdealswiththeconclusions.
Aglossaryoftechnicaltermshasbeenincludedattheendofthedocumenttoenablethereaderstounderstandthetechnicalconceptsusedinthetextofthedocument.
Allwordsprintedinitalicsarecontainedintheglossary.
TheITFhasdeliberatelychosentokeepacertaindegreeofoverlapinthetextofthisdocument.
Thishasbeendoneinordertomakepossibleselectivereadingofthedocumentbyreaderswhoareespeciallyinterestedinonechosentopic.
Forthispurposesomeadditional–sometimesrepetitive-descriptionshavebeenkeptinthetexttofacilitatetheconsultationofthedifferentchaptersassuch.
TheworkoftheInternetTaskForcehasbeenco-ordinatedbyPeterHUSTINX,chairmanoftheDutchDataProtectionAuthority.
TheconsolidatedversionoftheworkingdocumenthasbeenpreparedbyaDraftingGroupappointedwithintheITFandcomposedofDianaALONSOBLAS(fromtheDutchDataProtectionAuthority)andAnne-ChristineLACOSTE(fromtheBelgianDataProtectionAuthority).
TheworkdonebytheDraftingGroupincludedinparticularthestructurationandthecheckingofthecoherenceofthewholedocument,theintegrationandfurtherdevelopmentofadditionallegalissuesandtechnicalinformationaswellascommentsreceivedfromotherdelegations,thedevelopmentoftheglossaryoftechnicaltermsandtheconclusionsofthepaper.
DelegatesfromtheDataProtectionAuthoritiesofsixcountrieshavebeeninvolvedintheworkoftheInternetTaskForceatdifferentstagesofitswork,preparingpapersthathaveservedasabasisforanumberofchapters,commentingonthecontributionsofothermembersoftheITFandcontributingtothediscussionduringthefivemeetingsoftheITFin2000.
Inparticular,thefollowingpersonsdeservebeingmentioned:Anne-ChristineLacosteandJean-MarcDinant(Belgium),IbAlfredLarsen(Denmark),MarieGeorges(France),AngelikaJennenandSvenMoers(Germany),EmilioAcedFélez(Spain)andDianaAlonsoBlas,RonaldHesandBernardHulsman(theNetherlands).
TheITFwouldliketothankChristineSottong-Micas(SecretariatoftheArticle29DataProtectionWorkingParty,EuropeanCommission)andKarolaWolprecht(traineesession1999/2000attheEuropeanCommission)fortheirhelpandassistance.
8CHAPTER2:INTERNETTECHNICALDESCRIPTIONI.
BasicsTheInternetisanetworkofcomputerscommunicatingwitheachotheronthebasisoftheTransportControlProtocol/InternetProtocol(TCP/IP)3.
Itisaninternationalnetworkofinterconnectedcomputers,whichenablesmillionsofpeopletocommunicatewithoneanotherin"cyberspace"andtoaccessvastamountsofinformationfromaroundtheworld4.
Historicallyspeaking,theancestoroftheInternetistheARPAnetmilitarynetwork(1969).
Thebasicideawastobuildatrans-USdigitisednetworkenablingcomputersoperatedbythemilitary,defencecontractorsanduniversitiesconductingdefence-relatedresearchtocommunicatewithoneanotherbyredundantchannelsevenifsomeportionsofthenetworkweredamagedinthewar5.
Thefirstelectronicmailprogramsappearedin1972.
In1985,TheAmericanNationalSciencefoundationbuilttheNSFNETnetworktolinktogethersixU.
S.
supercomputercentres.
Inthelate1980s,thisnetworkwastransferredtoagroupofuniversitiescalledMERIT.
Thenetworkthenbecamemoreandmoreopentonon-academicinstitutionsandtonon-USorganisations.
In1990,TimBernersLee,workingattheCERNinGeneva,designedthefirstbrowserandimplementedtheconceptofhyperlink,andsincethenavarietyofnewservicesandfunctionalitieshavebeencontinuouslyadded.
ItishowevernecessarytobearinmindthatTCP/IPisstillthecoreprotocolusedfordatatransmissionovertheInternetandthatallservicesrelyonit.
Thisprotocolwasdesignedtobeverysimpletosetupandisindependentofanyspecificcomputeroroperatingsystem.
OntheInternet,everycomputerisidentifiedbyasinglenumericalIPaddressoftheformA.
B.
C.
D.
whereA,B,CandDarenumbersintherangeof0to255(e.
g.
194.
178.
86.
66).
ATCP/IPnetworkisbasedonthetransmissionofsmallpacketsofinformation.
EachpacketincludestheIPaddressofthesenderandoftherecipient.
Thisnetworkisconnectionless.
Itmeansthat,unlikethetelephonenetworkforinstance,nopreliminaryconnectionbetweentwodevicesisneededbeforecommunicationscanstart.
Italsomeansthatmanycommunicationsarepossibleatthesametimewithmanypartners.
TheDNS(DomainNameSystem)isamechanismforassigningnamestocomputersidentifiedbyaIPaddress.
Thosenamesareintheformof.
topleveldomainwhereisastringconstitutedbyoneormanysubstringsseparatedbyadot.
Thetopleveldomaincanbeagenericdomainlike"com"forcommercialwebsitesor"org"fornon-profitorganisations,orageographicaldomainlike"be"forBelgium.
DNShastobepaidforandcompaniesorindividualswantingadomainnamehavetoidentifythemselves.
SomepublictoolsontheNetmakeitpossibletoretrievethelinkbetween3Thetechnicalaspectsdescribedinthisworkhavebeendrasticallysimplifiedtomakethemcomprehensibletoanon-expert.
Formoredetails,see:CommunicationfromtheCommissiontotheCouncilandtheEuropeanParliament,TheorganisationandmanagementoftheInternet,InternationalandEuropeanPolicyIssues,1998-2000,COM(2000)202final,11April2000.
4SeeRenov.
ACLUdecision(June261997),SupremeCourtoftheUnitedStates,availableatwww2.
epic.
org/cda/cda_decision.
html5SeeRenov.
ACLUdecision(June261997)9thedomainnameandthecompanyaswellasbetweentheIPaddressandthedomainname.
AdomainnameisnotinitselfnecessaryforconnectingacomputertotheInternet.
Domainnamesaredynamic.
OnesingleInternetcomputercanhaveoneormanydomainnames–orevennoneatall-butonespecificdomainnamealwaysreferstooneparticularIPaddress.
AlimitedamountofIPaddressesexistatthepresenttime.
ThisnumberdependsonthelengthofthefieldassignedtotheIPaddressintheprotocol;6.
TheIPaddressesareassignedinEuropethroughaninternationalprocedure7toInternetAccessProviderswhothenreassignthemtotheirclients,organisationsorindividuals.
Byusingapubliclyavailablesearchtoollike,forinstance,http://www.
ripe.
net/cgi-bin/whoisitispossibletoidentifythepartyresponsibleforaparticularIPaddressallocation.
Typically,thiswillbe:themanagerofaLocalAreaNetworklinkedtotheInternet(e.
g.
anSMEorapublicadministration).
Inthiscase,he/shewillprobablyuseafixedIPaddressingschemeandkeepalistofcorrespondencebetweenpeople'scomputersandIPaddresses.
IfthispersonisusingtheDynamicHostConfigurationProtocol(DHCP8),theDHCPprogramwilltypicallykeepalogbookcontainingtheEthernetcardnumber.
Thisuniqueworld-widenumberidentifiesaparticularcomputerintheLAN.
anInternetAccessProviderwhichhasacontractwithanInternetsubscriber.
Inthiscase,theIAPwilltypicallykeepalogfilewiththeallocatedIPaddress,subscriber'sID,date,timeanddurationoftheaddressallocation.
Furthermore,iftheInternetuserisusingapublictelecommunicationsnetwork(mobileorterrestrialphone),thenumbercalled(anddate,timeandduration)willberegisteredbythephonecompanyforbillingpurposes.
theDomainNameHolderwhichmightbeacompany'sname,thenameoftheemployeeofacompanyoraprivatecitizen.
Inthesecases,thismeansthat,withtheassistanceofthethirdpartyresponsiblefortheattribution,anInternetuser(i.
e.
his/hercivilidentity:name,address,phonenumber,etc.
)canbeidentifiedbyreasonablemeans.
ArouterisanimportantdevicewhichprovidesroutesforTCP/IPnetworks.
ThismeansthattheTCP/IProuteisdynamic,dependingonthefailureoroverloadingofsomeroutersorlinks.
ItcanalsobeusedasafirewallbetweenanorganisationandtheInternet.
ItcanespeciallyguaranteethatonlyauthorisedIPaddressescanoriginatefromaparticularISP.
ItisimportanttonotethatthespeedoftransmissionisthesinglemostvaluablecriterionforroutinginTCP/IPnetworks.
Withinformationcirculatingatalmostthespeedoflight,itcanbemoreefficienttorouteTCP/IPpacketsfromLondontoMadridviaNewYorkif6Theupgradedversion(IPversion6)oftheIPaddressingsystemiscurrentlybeingdevelopedbasedonnumbersthatare128bitslong.
7TheInternetCorporationforAssignedNamesandNumbers(ICANN)isthenon-profitcorporationthatwasformedtoassumeresponsibilityforIPaddressspaceallocation(http://www.
icann.
org).
InEuropetheaddressingspaceismanagedbytheRIPEorganisation(RéseauxIPEuropéens)(http://www.
ripe.
net).
FormoredetailsabouttheevolvingprocessofInternetDomainNames,seetheCommissioncommunicationreferredtoinfootnote2.
8TheDynamicHostConfigurationProtocol(DHCP)isanInternetprotocolforautomatingtheconfigurationofcomputersthatuseTCP/IP.
DHCPcanbeusedtoautomaticallyassignIPaddresses.
(http://www.
dhcp.
org)10thereisatrafficjaminthenetworkinParis.
Sometoolsallowthenetusertoknowtheroutebetweentwopoints,butthiscantheoreticallychangeeverysecond,evenduringthetransferofasinglewebpage.
MoresophisticatedprotocolsusingTCP/IPSomeprotocolsaredesignedtoprovidecertainservicesinadditiontoTCP/IP.
Basicallythemostwidelyusedprotocolsare:theHTTP(HyperTextTransportProtocolusedforsurfing,theFTP(FileTransferProtocol)usedtotransferfiles,theNNTP(NewsNetworkTransportProtocol)usedtoaccessnewsgroups,theSMTP(SimpleMailTransportProtocol)andPOP3protocols(tosendandreceivee-mails).
LayersandprotocolhierarchyinanInternetcommunicationprocessHTTPusedforsurfingandsearchingSMTPusedforsendinge-mailPOP3usedfordownloadinge-mailsfromamail-servertoclientNNTPusedfortransferringnewsmessagesFTPusedfordownloadingoruploadingfilesetc.
manyotherhighlevelprotocolsinuseorbeingdevelopedTCP/IPPPPusedbymodemsonphonelinesX-75usedbyterminaladapteronISDNlinesADSLusedbyanADSLmodemonstandardphonelinesETHERNETusedbyLANcardsonaLocalAreaNetworketc.
ManyotherlowlevelprotocolsinuseorbeingdevelopedTheseprotocolsarenecessarybecausetheTCP/IPprotocolonlypermitsthetransmissionofbulkinformationfromonecomputertoanother.
ThecomputerdeliveringaserviceiscalledaSERVER.
ThecomputerusingaserviceiscalledaCLIENT.
Toprovideatechnicalservice,boththeclientandtheserverusethesameprotocol,i.
e.
thesamecommunicationrules.
TheInternetisoftenreferredtoasaclient/servernetwork.
Itisimportanttonotethatwhatevertheserviceused,theTCP/IPprotocolisalwaysusedbyeveryservicementionedabove.
ThismeansthateverythreattoprivacylinkedtotheTCP/IPprotocolwillbepresentwhenusinganyserviceontheWeb.
Inordertoavoidanymisunderstandingswiththegeneralmeaningoftheword"service",thetermprotocolwillbeusedinthispapertodesignateHTTP,FTP,NNTPandotherservicesavailableontheInternet.
AproxyserverisanintermediaryserverbetweentheInternetuserandtheNet.
ItactsasaWebcache,dramaticallyimprovingtherateofdisplayofinformation(e.
g.
thedisplayofwebpages).
ManylargeorganisationsorInternetAccessProvidershavealreadyimplementedthissolution.
Eachpage,imageorlogodownloadedfromoutsidebyamemberofanorganisationisstoredinacacheontheproxyserverandwillbeinstantaneouslyavailabletoanothermemberofthisorganisation.
11II.
ACTORSINVOLVEDINTHEINTERNETItshouldbenotedthatacompanyoranindividualcanplaydifferentrolesregardingtheInternet,andmaythusconcurrentlyperformvariousdataprocessingoperations(e.
g.
loggingconnectionsasatelecomsoperator,andstoringvisitedwebsitesasanISP),withallthisentailsconcerningtheapplicationofprivacyprinciples.
TelecommunicationsoperatorInEurope,thetelecomsinfrastructureusedtobedefactothemonopolyoftraditionaltelecommunicationsoperators.
Thissituationishoweverevolving.
Furthermore,thismonopolyisoftenreducedtothecablesoropticalfibres,whileforwirelesscommunicationsandemergingtechnologieslikeWAP,UMTS,etc,competitionisemergingbetweennationalcarriers.
Thetraditionaltelecommunicationsoperatorisstill,however,animportantactorsinceitprovidesthedatacommunicationsbetweenthenetuserandtheInternetAccessProvider(IAP).
Thetelecommunicationsoperatorprocessestrafficinformationforbillingpurposes,suchasthecallingnumberanditslocation(formobiles),callednumber,date,timeanddurationofthecommunication9.
InternetAccessProviderTheIAPprovides,normallyonacontractualbasis,aTCP/IPconnectionto:-Individualsusingamodemoraterminaladapter(ISDN).
InthiscasethesubscriberwillreceiveaIPaddressforthedurationofhis/herconnectionandthisaddresswillprobablychangethenexttimehe/shedialsup.
ThisiscalledadynamicIPaddress.
InthecaseofaconnectionbyADSLorviavideocable,theIPaddresswillusuallybestatic,asfarasthoseconnectionsarepermanent.
Inordertoobtainaconnection,theindividual10hastoconcludeacontract(wherethesubscriptionisfree)andgivehis/hername,addressandotherpersonaldata.
Typicallytheuserwillreceiveauseridentificationname(UserIdthatmaybeapseudonym)andapasswordsothatnobodyelsecanusehis/hersubscription.
Atleastforsecurityreasons,InternetAccessProvidersusuallyseemtosystematically"log"thedate,time,durationanddynamicIPaddressgiventotheInternetuserinafile.
AslongasitispossibletolinkthelogbooktotheIPaddressofauser,thisaddresshastobeconsideredaspersonaldata.
-Organisationsusingadialupconnectionor,moreoften,alineleasedtothecompany'soffice.
Thisleasedlinewillnormallybeprovidedbythetraditionaltelecomsoperator.
Theconnectioncanalsobeestablishedviaasatellitelineoraterrestrialradiosystem.
TheIAPwillgiveIPaddressestothecompanyandusearoutertoensurethattheaddressesareobserved.
IAPsownoneormoreleasedlines(twistedpair,opticalfibre,satellitelink)connectedtootherbiggerIAPs.
9Theprocessingandstoragetimeofsuchdataissubjecttostrictlegalconditions,asexplainedlater.
10Asmallenterprisemayalsoofcourseconcludesuchacontract,butsuchcaseswillnotbeconsideredinthispaper.
12InternetServiceProviderTheInternetServiceProvider(ISP)providesservicestoindividualsandcompaniesontheWeb.
ItownsorhiresapermanentTCP/IPconnectionandusesserverspermanentlyconnectedtotheInternet.
Classically,itwillofferwebhosting(webpagesstoredonitswebserver),accesstonewsgroups,accesstoanFTPserverandelectronicmail.
ThisinvolvesoneormoreserversusingtheHTTP,NNTP,FTP,SMTPandPOP3protocols.
FirmsplayingtheroleofIAPswillfrequentlyoffertheservicesofISPs.
ThisiswhythegenerictermISPisoftenusedtoincludebothIAPsandISPs.
But,fromaconceptualviewpoint,therolesaredifferent.
Namely,theIAP,beingagatetotheInternet,willroutealltrafficfromtheInternetsubscriber,whiletheISPwillonlybeawareofwhathappensonitsservers11.
Inthisreport,whenthetermISPisused,itgenerallyincludesIAP's.
ThetermIAPisonlyusedwhenitisclearthatitdealsonlywithInternetaccess;inallothercasesthegenerictermISPisused.
Fromatechnicalviewpoint,itisthepresenceofserversequippedwithprotocolsthatwillbedecisiveingatheringpersonaldata.
InthecaseofHTTPserversgenerally,alogbookorlogfileissystematicallycreatedbydefaultandmaycontainallorsomeofthedatapresentintheHTTPrequestheader(browserchattering)andtheIPaddress.
Thelogbookisstandardpracticeandiscreatedbyeachserver.
TheuserTheInternetusercanbeanindividualaccessingtheNetfromhome,generallyusingatemporaryTCP/IPconnection(andthusadynamicIPaddress)viaamodem,aterminaladapter(ISDN),orapermanentconnection(thusstaticIPaddress)throughADSL,cableTV,etc.
Connectionviaamobilephone,whilstgenerallymoreexpensive,isalsopossible.
Shouldasubscribergiveafalseidentityorusetheidentityofanotheruser(typicallybygivingsomeoneelse'sUserIdandpassword),itisstillpossibletotracebacktheownerofthelinetowhichaparticularIPaddresshasbeengivenbycomparingthisinformationwiththeinformationcontainedintheIAPlogbook.
Thisis,infact,whatthepolicedoeswhentracingcriminalintrusionsintocomputerslinkedtotheInternet.
ThesameappliesiftheindividualisusingaLANoranIntranet.
Theusercanalsobeanorganisation,apublicadministrationoracompanywhichusestheInternetnotonlytoprovideortolookforinformationbutalsotocollectdataforthepurposeofitstasksoractivities(administrativeprocedures,sellingofgoodsorprovisionofservices,publicationofdirectories,smallads,sendingoutquestionnaires,etc.
)III.
SERVICESAVAILABLEONTHEINTERNET12AnyonewithaccesstotheInternetmayuseawidevarietyofcommunicationandinformationretrievalmethods.
Themostcommonareelectronicmail(seeChapter4),newsgroupsandchatrooms(seechapter6)andtheWorldWideWeb(seeChapter5).
Allthesemethodscanbeusedtotransmittext;mostcantransmitsound,picturesandmovingvideoimages.
Takentogether,thesetoolsconstituteauniquemedium,knownto11ThispaperwillnotdealwithISPsascontentprovidersalthoughsomeofthemprovidecontentincertaincircumstances(forinstance,someISPshavetheirownportalsite).
12ForadetaileddescriptionoftheseservicesseedecisionRenov.
ACLU(June26,1997).
13itsusersas"cyberspace",availabletoanyone,anywhereintheworld,withaccesstotheInternet.
e-mailE-mailenablesanindividualtosendanelectronicmessagetoanotherindividualortoagroupofaddressees.
Themessageisgenerallystoredelectronicallyonaserver,waitingfortherecipienttocheckhis/hermailbox,andsometimesmakingitsarrivalknownthroughsometypeofprompt.
NewsgroupsNewsgroupsareusedtoshareinformationorexpressopinionsaboutspecificmatters.
Theyservegroupsofregularparticipantsbutothersmayreadtheirpostingstoo.
Therearethousandsofsuchgroups,eachservingtopromotetheexchangeofinformationoropiniononaparticulartopic.
About100000newmessagesarepostedeachday.
ChatroomsTwoormoreindividualswishingtocommunicatedirectlycanenterachatroomtoengageinreal-timedialoguebytypingmessagesthatappearalmostimmediatelyontheothers'computerscreens.
WorldWideWebThebestknowncategoryofcommunicationovertheInternetistheWorldWideWeb,whichallowsuserstosearchforand,retrieveinformationstoredinremotecomputers.
Inplainterms,theWebconsistsofavastnumberofdocumentsstoredindifferentcomputersallovertheworld.
NavigatingtheWebisrelativelystraightforward.
Ausermayeithertypetheaddressofaknownpageorenteroneormorekeywordsintoacommercial"searchmachine"inanefforttolocatesitesonasubjectofinterest.
Usersgenerallyexploreagivenwebpageormovetoanotherbyclickingacomputer"mouse"ononeofthepage'siconsorlinks.
TheWebisthuscomparable,fromthereader'sviewpoint,eithertoavastlibraryincludingmillionsofreadilyavailableandindexedpublicationsorasprawlingmallofferinggoodsandservices(seeChapter7).
AnypersonororganisationwithacomputerconnectedtotheInternetcan"publish"orcollectinformation(seeChapters6,7and8).
Publishersorthosewhocollectdataincludegovernmentagencies,educationalinstitutions,commercialentities,interestgroupsandindividuals.
ThosemayeithermaketheirmaterialavailabletotheentirepoolofInternetusers,orrestrictaccesstoaselectedgroup.
IV.
Privacyrisks13PrivacyrisksinherentintheuseoftheTCP/IPprotocolDuetothefactthattheInternethas,fromtheverybeginning,beenconsideredasanopennetwork,therearemanycharacteristicsofcommunicationprotocolswhich,morebyaccidentthandesign,canleadtoaninvasionoftheprivacyofInternetusers.
AsfarastheTCP/IPprotocolisconcerned,therearethreecharacteristicswhichappeartoconstituteapotentialinvasionofprivacy.
13TheFrenchCNILhasinitswebsiteasectioncalled"vostraces"whereInternetuserscanviewthetracestheyleavebehindwhenusingtheInternet.
ThissectionisavailableinFrench,EnglishandSpanish.
Seewww.
cnil.
fr14TheroutefollowedbyTCP/IPpacketsisdynamicandfollowsthelogicofperformance.
Intheory,itmaychangeduringthedownloadingofawebpageorthetransmissionofane-mail,butinpracticeitremainslargelystatic.
Intelecommunications,performanceislinkedmoretothecongestionofthenetworkthantothephysicaldistancebetweentelecommunicationsnodes(routers).
Thismeansthatthe"shortest"waybetweentwotownslocatedinthesameEUcountrymaypassthroughanon-EUcountrywhichmayormaynothaveadequatedataprotection14.
TheaverageInternetuserhasnoreasonablemeansofchangingthisroute,evenifhe/sheknowswhichrouteisfollowedataparticularmoment.
DuetothefactthatthetranslationbetweentheDomainNameandthenumericalIPaddressoccursviaaDNSserver,whosefunctionistoensurethistranslation,thisDNSserverreceives,andcankeeptraceof,allthenamesoftheInternetserverstheInternetuserhastriedtocontact.
Inpractice,thoseDNSserversaremainlymaintainedbyInternetAccessProviders,whohavethetechnicalcapabilitytoknowmuchmorethanthat,aswillbedescribedinthenextchapters.
Thepingcommand,availableonalloperatingsystems,allowsanyoneontheInternettoknowifaparticularcomputeristurnedonandconnectedtotheInternet.
ItisacommandwhichinvolvestypingthelettersPINGfollowedbytheIPaddress(orthecorrespondingname)ofaselectedcomputer.
Theuserofthe"pinged"computerwillusuallynotbeawarethatandforwhichreasonssomebodyhastriedtofindoutifhe/shewasconnectedatagivenmoment.
ItshouldbenotedthatpermanentInternetconnectionsviacableandADSLpresentthesamerisks.
Evenifthesedata-processingoperationsarelegitimateand,dependingoncircumstances,unavoidableforthesmoothoperationoftheInternetnetwork,theInternetusershouldbemadeawareofthefactthattheseoperationsaretakingplaceandofavailablesecuritymeasures.
PrivacyrisksinherentintheuseofhighlevelprotocolsThissectionfocusesonthreecharacteristicsthatarealmostalwayspresentwhenimplementingtheHTTPprotocolinthemostfrequentlyusedbrowsers.
IthastobenotedthatacombinationofthesecharacteristicscanhaveseriousconsequencesfortheprivacyofInternetusers.
HTTPisofstrategicimportanceinsofarasitisthemainprotocolusedontheWebandcanofferserviceslikeelectronicmailanddiscussionfora,whichuptonowhadusuallybeenprovidedbyspecialisedhighlevelprotocolssuchasPOP3,SMTPorNNTP15.
Thebrowser'schatteringItisgenerallyknownthattyping"http://www.
website.
org/index.
htm"meanssomethinglike"showmethepagenamed"index.
htm"ontheserverwww.
website.
orgbyusingtheHTTPprotocol.
OnemightthinkthatonlytheIPaddressofthesurferandthefilehe/shewantstoseearetransmittedtothewebsite.
Thisis,however,notthecase.
14SeeChapter2formoredetailsonthisissue.
15SeeDINANT,Jean-Marc,LawandTechnologyConvergenceintheDataProtectionFieldElectronicthreatstopersonaldataandelectronicdataprotectionontheInternet,ESPRITProject27028,ElectronicCommerceLegalIssuesPlatform.
15ThefollowingtablelistssomeofthedatasystematicallytransmittedintheHTTPheaderwhilemakinganHTTPrequest(Automaticbrowserchattering)andthusavailabletotheserver:HTTPVar.
Opera3.
50Netscape4.
0FrExplorer4.
0UKGETGET/index.
htmlHTTP/1.
0GET/index.
htmlHTTP/1.
0GET/index.
htmlHTTP/1.
0User-Agent:Mozilla/4.
0(compatible;Opera/3.
0;Windows95)3.
50Mozilla/4.
04[fr](Win95;I;Nav)Mozilla/4.
0(compatible;MSIE4.
01;Windows95)Accept:image/gif,image/x-xbitmap,image/jpeg,/Image/gif,image/x-xbitmap,image/jpegimage/gif,image/x-xbitmap,image/jpeg,image/pjpeg,application/vnd.
ms-excel,application/msword,application/vnd.
ms-powerpoint,/Referer:Where.
were.
you/doc.
htmWhere.
were.
you/doc.
htmLanguage:Frfr-beThetechnicaldefinitionofthosefieldscanbefoundintheRFC1945forHTTP1.
0orintheRFC2068forHTTP1.
1.
Thefollowingremarkscanbemadeinthisrespect:Thefirstlineistheonlyonewhichisindispensable.
Inthe"Accept"line,everybrowsermentionsthattheInternetuserisusingWindows95.
Onecouldwonderwhy.
NetscapeaddsthatthebrowserversionisaFrenchone.
Everybrowsergivesitsownname,versionandsub-versionidentification.
Whiledescribingtheacceptedformats,MicrosoftinformseverysitethattheInternetuser'scomputerhasPowerpoint,Excel,andWordinstalledonit.
Operadoesnotdisclosethereferringpage.
Operadoesnotrevealthelanguagespoken.
NetscaperevealsthattheInternetuserisFrench-speaking.
MicrosoftrevealsthattheInternetuserisaFrench-speakingBelgian.
InvisiblehyperlinksHyperlinksaretheaddedvalueoftheInternet.
Theymakeitpossibletobrowsefromonecontinenttoanothersimplybyamouseclick.
WhatishiddentotheeyesofthecommonuseristhatclassicalbrowsingsoftwaremakesitpossiblefortheHTTPrequesttoincludeacommandtodownloadimagesforinclusionintheHTMLpagecode.
Thoseimagesdonotneedtobelocatedinthesameserverastheonewhichhasreceivedtheoriginalcallforaparticularwebpage.
Inthiscase,theHTTP_REFERERvariablecontainsthereferringpagereference,i.
e.
themainpageinwhichtheimageswillbelocated.
Inotherswords:ifawebsiteincludesinitswebpageinHTMLaninvisiblelinktoanimagelocatedonthewebsiteofacybermarketingcompany,thelatterwillknowthereferringpagebeforesendingtheadvertisingbanner.
Whendoingasearchonasearchengine,thenameofthewebpageincludesthekeywordstyped.
16CookiesCookiesarepiecesofdatathatcanbestoredintextfilesthatmaybeputontheInternetuser'sharddisk,whileacopymaybekeptbythewebsite.
TheyareastandardpartofHTTPtraffic,andcanassuchbetransportedunobstructedwiththeIP-traffic.
Acookieresidesonauser'sharddriveandcontainsinformationabouttheindividualthatcanbereadbackbythewebsitethatdepositeditorbyanyoneelsewithanunderstandingofthatwebsite'sdataformat.
Acookiecancontainanyinformationthewebsitewantstoincludeinit:pagesviewed,advertisementsclicked,useridentificationnumberandsoon16.
Insomecases,theymaybeusefulforprovidingacertainservicethroughtheInternetortofacilitatethesurfingoftheInternetuser.
Forinstance,certaincustomwebsitesrelyoncookiestoidentifyuserseachtimetheyreturn,sousersdonothavetologintothewebsiteeachtimetheychecktheirnews.
TheSET-COOKIEisplacedintheHTTPresponseheader17,namelyininvisiblehyperlinks.
Ifadurationisstipulated18,thecookiewillbestoredontheInternetuser'sharddiskandsentbacktothewebsiteoriginatingthecookie(ortootherwebsitesfromthesamesubdomain)forthatduration.
ThissendingbackwilltaketheformofaCOOKIEfieldinvolvedinthebrowserchatteringdescribedabove.
Byputtingtogetherthebrowserchatteringandinvisiblehyperlinks,acybermarketingcompanycan,bydefault,knowallthekeywordstypedbyaparticularInternetuserintothesearchengineonwhichthiscompanyisadvertising,thecomputer,operatingsystem,browserbrandoftheInternetuser,theuser'sIPaddress,andthetimeanddurationofHTTPsessions.
Theserawdatamakepossible,ifcombinedwithotherdataavailabletothecompany,toinfernewdatalike19:1.
ThecountrywheretheInternetuserlives.
2.
TheInternetdomaintowhichhe/shebelongs.
3.
ThesectorofactivityofthecompanyemployingtheInternetuser.
4.
Theturnoverandsizeoftheemployingcompany.
5.
Thefunctionandpositionofthesurferwithinthiscompany.
6.
TheInternetAccessProvider.
7.
Thetypologyofwebsitescurrentlyvisited.
Thecookieallowsapermanentanduniqueidentifiertobesentsystematicallywitheveryinformationrequest,whereastheIPaddressremainsarelativelyweakidentifierbecauseitcanbehiddenbyproxiesandisnotreliable,duetoitsdynamiccharacterforInternetusersaccessingtheInternetbymodem.
Manycybermarketingcompanieshavealreadydonesuchinvisibleprofiling20.
16SeethebookbyHAGELIII,J.
andSINGER,M.
,NetWorth:theemergingroleoftheinformediaryintheraceforcustomerinformation,HarvardBusinessSchoolPress,1999,p.
275.
17Technicallyspeaking,itisalsopossibletoimplementcookiesinJavaScriptorinthefieldslocatedintheHTMLcode.
18Cookieswithnofixeddurationarecalled"sessioncookies"anddisappearwhenthebrowserisunloadedorwhenthesocketcloses.
19GAUTHRONET,Serge,"On-lineservicesanddataprotectionandtheprotectionofprivacy"EuropeanCommission,1998,p.
31and92availableathttp://europa.
eu.
int/comm/dg15/en/media/dataprot/studies/servint.
htm20ForDoubleClickalone,about26millionInternetusersinMarch1997(GAUTHRONET,op.
cit.
,p.
86)andmorethanonebillioncybermarketingbannersdownloadedeachmonthoutsidetheUS(ibid.
,p.
96).
Presentlymorethan500,000,000advertisingbannerssenteachdayforonesinglecybermarketingcompany.
Seehttp://www.
doubleclick.
net/company_info/investor_relations/financials/analyst_metrics.
htm17PrivacyriskslinkedwithimplementationoftheHTTPprotocolincommonbrowsersThecombinationofbrowserchattering,invisiblehyperlinksandcookiesprovidethemeansforinvisibleprofilingofeveryindividualInternetuserwhousesabrowserinstalledbydefault.
Thisprofilingisnot"perse"linkedtotheHTTPprotocol,asdefinedbytheW3C21.
Furthermore,theHTTP1.
1protocoldefinitionhasexplicitlydrawntheattentionoftheindustrytopossibleprivacyissueswhileimplementingtheHTTPprotocol22:–"Havingtheuseragentdescribeitscapabilitiesineveryrequestcanbebothveryinefficient(giventhatonlyasmallpercentageofresponseshavemultiplerepresentations)andapotentialviolationoftheuser'sprivacy"[page68]–"ItmaybecontrarytotheprivacyexpectationsoftheusertosendanAccept-Languageheaderwiththecompletelinguisticpreferencesoftheuserineveryrequest"[page98]–"TheclientSHOULDnotsendtheFromheader23fieldwithouttheuser'sapproval,asitmayconflictwiththeuser'sprivacyinterestsortheirsite'ssecuritypolicy.
Itisstronglyrecommendedthattheuserisabletodisable,enable,andmodifythevalueofthisfieldatanytimepriortoarequest.
"[page118]"HTTPclientsareoftenprivytolargeamountsofpersonalinformation(e.
g.
theuser'sname,location,mailaddress,passwords,encryptionkeys,etc.
),andSHOULDbeverycarefultopreventunintentionalleakageofthisinformationviatheHTTPprotocoltoothersources.
Weverystronglyrecommendthataconvenientinterfacebeprovidedfortheusertocontroldisseminationofsuchinformation,andthatdesignersandimplementersbeparticularlycarefulinthisarea.
Historyshowsthaterrorsinthisareaareoftenbothserioussecurityand/orprivacyproblems,andoftengeneratehighlyadversepublicityfortheimplementer'scompany.
"[page143]24V.
SomeeconomicconsiderationsTheInternethasexperiencedextraordinarygrowthoverthelastyears.
Thenumberof"host"computers-thosethatstoreinformationandrelaycommunications-rosefromabout300in1981toapproximately9400000in1996.
Roughly60%ofthesehostsarelocatedintheUnitedStates.
About40millionpeopleusedtheInternetin1996andabout200millionwereexpectedtouseitby200025.
ItisexpectedthathalfoftheEuropeanpopulationwillbeconnectedtotheInternetby200526.
InmanyEuropeancountries,Internetsubscriptionisfreeforindividualsbutthesubscriberhastopayforthelinetothetelecommunicationsoperator.
TheIAPorISPwillberemuneratedbyaretroconnectfeepaidbackbythetelecommunicationsoperator(TO)onthebasisofthedurationofthelocalcallmadebytheInternetsubscriber.
ThismeansthatevenincaseswhereauserhasfreesubscriptiontotheInternethe/shewillstill21TheWorldWideWebConsortiumisanon-profitorganisationhostedbyInria(France),MIT(USA)andtheUniversityofKeio(Japan).
ThemembersofthisconsortiumarenotablyMicrosoft,AOL,Netscape,andCenterforDemocracyandTechnology(http://www.
w3.
org/Consortium/Member/List).
Thisconsortiumproducesnon-mandatorybutdefactostandardisationintendedtoguaranteetheinteroperabilityofcomputersontheInternet.
22http://www.
w3.
org/Protocols/rfc2068/rfc2068.
ThepagenumberinginbracketsreferstotheW3C'snumbering.
23"Fromheader"fieldisusedfornamingthereferringpage.
24Theword"privacy"ismentioned18timesintheRFC2068.
25SeeRenov.
ACLUdecision(June26,1997).
26EuropeanCommissionpressrelease,Commissionwelcomesnewlegalframeworktoguaranteesecurityofelectronicsignatures,30November1999.
18havetobeartheexpensesofthetelephonelinesused.
ThiswillbenefitbothtotheIAP/ISPandtelecomoperators.
SoftwareproducerswillalsobenefitfromtheuseoftheInternetbecause,eveniftheymaketheirproductsfreelyavailabletotheconsumer(freewares,browsers,etc.
),theyreceivearemunerationfortheuseoftheirsoftwaresbywebsiteservers.
DirectmarketingisoneofthemajorrentalactivitiesontheWeb.
Cybermarketingcompaniesplaceadvertisingbannersonwebpages,ofteninsuchawaythatthecollectionofpersonaldataremainswidelyinvisibletothedatasubject.
Thankstotheuseofinvisiblelinksincombinationwithbrowserchatteringandcookies,unknownmarketingcompaniesareabletoprofileInternetusersonaone-to-onebasis.
OnesinglecybermarketingcompanycouldsendabouthalfabillionpersonalisedadvertisingbannersontheWebeveryday.
Directmarketingcompaniesfinancemanysearchengines.
Byputtinganinvisiblehyperlinktocybermarketingcompaniesontheirownwebpages,commonwebsites(andsearchenginesinparticular)willinstructcommonbrowserslikeNetscapeandInternetExplorertoopenanindependentHTTPconnectionwiththecybermarketingcompany'sHTTPserver.
Asexplainedbefore,thebrowserwillautomaticallychatvariousdatawhiledoingtheHTTPrequest,namely:theIPaddress,thereferringpage(inthecaseofasearchengine,thisvariablecontainsthekeywordstypedbythesearcher),thebrand,versionandlanguageofthebrowserused(e.
g.
InternetExplorer4.
02,Dutch,typeandOSused:Windows2000,Linux2.
2.
5,MacOS8.
6andsoon)and,lastbutnotleast,theidentifyingcookie(e.
g.
UserId=342ER432)whichmightalreadyhavebeenplacedbythecybermarketingcompanythroughpreviousinvisiblehyperlinks.
TheaverageInternetuserisgenerallyunawareofthefactthatwhiletypinganURL(UnifiedResourceLocator),manybannersthathe/shewillseeasaresultdonotoriginatefromthewebsitehe/sheisvisiting.
Norareusersawareofthefactthat,whiledownloadingoneadbanner,theirbrowserwillsystematicallytransmitauniqueID,IPaddress,andcompleteURLofthewebpagetheyarevisiting(thisincludeskeywordstypedonsearchenginesandthenameofpressArticlestheyarereadingonline).
Allthosedatacanbemergedtobuildaglobalprofileofacitizensurfingfromonesitetoanother,thankstotheuniqueIdstoredinthecookie.
Thecaptureofuserinformationinon-lineenvironmentsisconsideredtohaveeconomicandstrategicimportance.
ThefollowingparagraphtakenfromafamousAmericanpublication27illustratesthisidea:Toomanybusinesses,includingmanyoftheleading-edgeentrepreneurialcompaniesemergingontheInternet,havenotfocusedenoughonthevalueofcustomerprofiles.
Thewinnersandlosersofthisnewerawillbedeterminedbywhohasrightstoon-linecustomerprofiles.
ItisworthmentioningthatthecollectionofInternetusersdataisusuallyfreeofanycostsforthecompany,asconsumersoftenprovidetheinformationthemselves,e.
g.
byfillinginforms.
Websitesoftenuseloyaltyprogramslikegames,questionnaires,newsletters,thatinvolvetheprovisionofpersonalinformationbythevisitorofthewebsite.
Recentcasesconfirmtheincreasingvalueattachedbybusinessestoconsumerprofiles.
Listsofcustomersarebeingsoldorshared,mostoftenthroughmergersofITcompanieswhichthusincreasethedetailandnumberofprofilestheycanuse.
Therewilleventuallybeacquisitionsthatarebasedonconsumerdata,wheretheprimaryassetthat'sbeingboughtistheconsumerdata.
(…)Consumerdatarightnowisthecurrencyofe-commerceinalotofways.
Thosearevaluablecustomersbecause27Seethebook"NetWorth"(opcit),pagexiii(preface).
19they'veshownthatthey'rebuyers,andthey'veboughtfromacompetingstore.
(…)Namesinadatabasesaveacompanyfromspendingmarketingdollarstoacquireacustomer--usuallyabout$100percustomer28.
CustomerdatahavealsobeenofferedforsalewhenInternetcompaniesgobankrupt.
Acompanysellingtoysrecentlyincludedthesaleofitscustomerprofilesaspartofthecompany'sliquidation.
Thesecustomerprofileswerecollectedfromusersundertheprivacypolicythatnoinformationwouldeverbesharedwithathirdpartywithouttheexpressconsentoftheuser.
Theprofilesincludenames,addresses,billinginformation,shoppingbehaviouralinformationandfamilyprofileswiththenamesandbirthdatesofchildren.
TRUSTe,whichhadapprovedthecompany'sprivacypolicy,advisedonAugust8,2000thatithadfiledanobjectionwiththeUnitedStatesBankruptcyCourt,totheFederalTradeCommission(FTC)consentagreementwiththecompanyontheconditionsforliquidatingtheassets29.
Acomprehensivedataprotectionpolicymusttakeaccountofabalancedchoicebetweeneconomicinterestsandhumanrights.
Twobigissuesremainunresolved.
NowadaysalargevolumeofindividualdataonmanyInternetusershasbeencollectedontheInternetwithoutthepriorknowledgeand/orconsentofthedatasubject,mainlyduetotheinvisibleside-effectsofInternettechnology.
Itisforeseeablethat,inthenextfewyears,moreandmorepersonaldatawillbeexchangedformaterialgain30,buthowfarcantheInternetusergoindoingthisWhatkindofpersonaldatacanbesharedbythedatasubjectitself,forhowlongandunderwhatcircumstancesIfthefundingofparticularwebsites(e.
g.
searchengines)comesmainlyfromthecybermarketingindustry,theremaybeatemptationtousepersonalisedprofilingtoensurethatserviceswhichwerepreviouslyfreeexcludepeoplewhodonothavesufficientincome,havenotrespondedtohundredsofadvertisingbannersorwishtopreservetheirprivacy.
VI.
ConclusionsTheInternetwasconceivedasanopennetworkatworldlevel(www)throughwhichinformationcouldbeshared.
Itishowevernecessarytofindabalancebetweenthe"opennature"oftheInternetandtheprotectionofthepersonaldataoftheInternetusers.
EnormousamountsofdataonInternetusersarecollectedontheInternetwhileoftenusersarenotawareofthisfact.
ThislackoftransparencytowardstheInternetusersneedstobeaddressedinordertoachieveagoodlevelofpersonaldataandconsumers'protection.
Protocolsaretechnicalmeansthatinfactdeterminehowdataaretobecollectedandprocessed.
Browsersandsoftwareprogrammesalsoplayanimportantrole.
InsomecasestheyincludeanidentifierthatmakespossibletolinktheInternetusertohis/heractivitiesintheNet.
Itisthereforetheresponsibilityofthoseinvolvedinthedesignanddevelopmentoftheseproductstoofferusersprivacy-compliantproductsInthatsenseitisimportanttomentionthatarticle14ofthedrafttelecomsdirectiveof1228QuotedfromM.
HALPERNandHARMON,E-mergerstriggerprivacyworriesbyDeborahKONG,http://www.
mercurycenter.
com/svtech/news/indepth/docs/consum012400.
htm29http://www.
truste.
org/users/users_investigations.
html30SeeforinstancethediscussiononinfomediariesinChapter9.
20July2000declaresthat,whererequired,theCommissionshalladoptmeasurestoensurethattechnicalequipmentincorporatesthenecessarysafeguardstoguaranteetheprotectionofpersonaldataandprivacyofusersandsubscribers.
21CHAPTER3:APPLICATIONOFDATAPROTECTIONLEGISLATIONI.
GenerallegalconsiderationsThepointofdepartureforthelegalanalysisofallthedifferentphenomenatobecarriedoutinthefollowingchaptersisthefactthatbothdataprotectiondirectives(Directive95/46/ECand97/66/EC)applyinprincipletopersonaldataprocessedontheInternet31.
AlllegalconsiderationsincludedinthisdocumentarebasedontheinterpretationoftheseDirectivesaswellasonthedocumentsadoptedbytheWorkingPartyandinsomecases(ifsoindicated)thejurisprudenceoftheEuropeanCourtofHumanRights.
PersonaldataontheInternetAshasbeenalreadymentionedinthispaper,InternetAccessProvidersandManagersofLocalAreaNetworkscan,usingreasonablemeans,identifyInternetuserstowhomtheyhaveattributedIPaddressesastheynormallysystematically"log"inafilethedate,time,durationanddynamicIPaddressgiventotheInternetuser.
ThesamecanbesaidaboutInternetServiceProvidersthatkeepalogbookontheHTTPserver.
InthesecasesthereisnodoubtaboutthefactthatonecantalkaboutpersonaldatainthesenseofArticle2a)ofthedirective32.
Inothercases,athirdpartycangettoknowthedynamicIPaddressofauserbutnotbeabletolinkittootherdataconcerningthispersonthatwouldmakehis/heridentificationpossible.
ItisobviouslyeasiertoidentifyInternetuserswhomakeuseofstaticIPaddresses.
Thepossibilityexistsinmanycases,however,oflinkingtheuser'sIPaddresstootherpersonaldata(whichispubliclyavailableornot)thatidentifyhim/her,especiallyifuseismadeofinvisibleprocessingmeanstocollectadditionaldataontheuser(forinstance,usingcookiescontainingauniqueidentifier)ormoderndataminingsystemslinkedtolargedatabasescontainingpersonally-identifiabledataonInternetusers.
Therefore,evenifitmightnotbepossibletoidentifyauserinallcasesandbyallInternetactorsfromthedataprocessedontheInternet,thispaperworksonthebasisthatthatthepossibilityofidentifyingtheInternetuserexistsinmanycasesandthatlargemassesofpersonaldatatowhichthedataprotectiondirectivesapplyarethereforeprocessedontheInternet.
ApplicationofthedirectivesAstheWorkingPartyhasalreadystatedonpreviousoccasions,thegeneraldataprotectiondirective95/46/ECappliestoanyprocessingofpersonaldatafallingwithinitsscope,irrespectiveofthetechnicalmeansused.
PersonaldataprocessingontheInternetthereforehastobeconsideredinthelightofthisdirective33.
Thegeneraldirectivethusappliesinallcasesandtoallthedifferentactorsthatwehavedealtwithinthefirstpartofthischapter(technicaldescription).
31SeeWP16,Workingdocument:ProcessingofPersonalDataontheInternet,adoptedbytheWorkingPartyon23February1999,5013/99/EN/final.
32Seealsorecital26ofthepreambletothedirective.
33Theexpression"thedirective"refersinthispapertoDirective95/46/EC.
22Thespecificdirective97/66/EContheprotectionofprivacyandpersonaldatainthetelecommunicationssectorparticularisesandcomplementsthegeneraldirective95/46/ECbyestablishingspecificlegalandtechnicalprovisions.
Directive97/66/ECappliestotheprocessingofpersonaldatainconnectionwiththeprovisionofpubliclyavailabletelecommunicationsservicesinpublictelecommunicationsnetworksintheCommunity.
Internetservicesaretelecommunicationsservices.
TheInternetthusformspartofthepublictelecommunicationssector.
Directive95/46/ECappliestoallmattersthatarenotspecificallycoveredbyDirective97/66/EC,suchastheobligationsonthecontrollerandtherightsofindividualsornon-publiclyavailabletelecommunicationsservices34.
PersonaldatavoluntarilyprovidedbytheInternetuserduringhis/herconnectiontotheInternetwouldalwaysfallunderthescopeofapplicationofthisDirective.
Inthefollowingtable,anattemptismadetodefinecasesinwhichthespecificdirective97/66/ECappliesandthosewheredirective97/66/ECapplies,bystatingthemostrelevantprinciples.
Itshould,however,betakenintoaccountthatsomeoverlappingwilloccurwhenactorsplayseveralrolesatthesametime.
ActorTaskPossibleprocessingofpersonaldataRelevantprovisionsofthetelecomsdirective:TelecomsproviderEx.
AT&T-ConnectingInternetusersandISPs-LoggingInternetuser-ISPconnections-TransferCLIofInternetusertoISP-Telecomsdirective,especially:confidentialityofthecommunications,trafficandbillingdataandpresentationandrestrictionofcallinglineandconnectedlineidentification.
InternetServiceProvider35Ex.
WorldOnline-ProvidingtherequestedInternetservice-TransferrequestfromInternetusertoproxyserver(cache)-TransferrequestfromInternetusertowebsite-TransferreplyfromproxyservertoInternetuser-TransferreplyfromwebsitetoInternetuser-LoggingincomingCLI's-AllocationofIP-addresstoasession-Possibilityofstoringlistsofvisitstowebsites,sortedbyIPaddress-Exchangingdatawithrequestedwebsites-Loggingofsessions(loginandlogouttimes,andamountsoftransferreddata)-Extractinginformationfromheadersandcontent.
-Telecomsdirective,inparticular:confidentialityofthecommunications,trafficandbillingdataPortalserviceEx.
Yahoo,AOL,Macropolis-Selectionofsupplyofinformation-Providinginformation(contentprovider),andsometimesservicesorgoods-Loggingofrequeststositesbehindtheportal-Possibleloggingofvisitstothesite-Loggingofreferringpages,keywordstyped(chatteringdata)-PostingcookiesonharddiskofInternetuser.
-Profiling-Telecomsdirective(applicabletotheISPhostingtheportalsite)Regularwebsite/homepage-Providinginformation(contentprovider),and-Possibleloggingofvisitstothesite34Seerecital11ofDirective97/66/EC.
35InprinciplethetermInternetServiceProviderasusedinthispaperalsoincludesInternetAccessProviders(seedefinitionintheglossaryofterms).
ThispaperonlyreferstoInternetAccessProviderswhendealingwithissuesthatonlyapplytothem.
23Exwww.
coe.
intsometimesservicesorgoods-Loggingofreferringpages,keywordstyped(chatteringdata)-PostingcookiesonharddiskofInternetuser.
-ProfilingProvidersofadditionalservicesEx.
NedstatDoubleclickBanners-Customisingwebpages-Profiling(bymergingtheclickstreamofseveralwebsites)-Notalwaysatelecommunicationsservice,sothetelecomsdirectiveonlyappliesinsomecases.
Providersofroutersandconnectinglines(oftenownedbytelecomsproviders)-ConnectingISP's-DirectingdatafromInternetusertoIPwebsite.
-Riskofillegalinterception-Telecomsdirective:inparticular,securityandconfidentialityofcommunicationsIndecidingwhetherbothdirectivesareapplicableornot,thekeyquestionisobviouslytodetermineiftheserviceconcernedcanbeconsideredasa"telecommunicationsservice",asdefinedinArticle2d)ofDirective97/66/EC:transmissionandroutingofsignalsviatelecommunicationnetworks.
Ifthespecifictelecomsdirectiveisapplicable,itisnecessarytoapplythespecificrulescontainedinit.
TelecomsproviderThereisnodoubtthatconnectingInternetuserstoanISP,providingInternetservicestoInternetusersandroutingrequestsandrepliesfromInternetuserstowebsiteserversandbackaretelecommunicationsservices.
So,Directive97/66/ECappliestotelecommunicationsproviders,InternetServiceProvidersandprovidersofroutersandlinesforInternettraffic.
InternetServiceProviders(alsoincludingAccessProviders)ThesamecanbesaidaboutInternetServiceProviders;thereisnodoubtthatthespecifictelecomsDirectiveappliestotheiractivities.
AninterestingcaseconcernsthoseinstitutionsorpersonswhichhavedirectaccesstotheInternetwithoutthehelpofanISP.
TheseinstitutionsareinfactactingasInternetServiceProvidersconnectingtheirownprivatenetworktotheInternet.
Article3ofDirective97/66/ECdefinesitsscopeofapplicationbyspecifyingthatitconcernspubliclyavailabletelecommunicationsservicesinpublictelecommunicationsnetworksintheCommunity.
Intheabove-mentionedcase,thereisnotapublicnetworkbutaprivatenetworkforagivengroupofusers.
Itcanthereforebeconcludedthattheseservices,whilstfallingwithinthedefinitionoftelecommunicationsservices,cannotbeconsideredaspubliclyavailableservicesanddonotthereforefallwithinthescopeofapplicationofDirective97/66/EC.
ItisimportanttomentionthatinsuchcasestheprovisionsofthespecificDirectivewouldapplyagainifinformationissenttosomewhereoutsidetheprivatenetwork.
Obviously,theprovisionsofthegeneraldataprotectiondirectivearefullyapplicableinthesecases.
24RegularwebsitesNormallyawebsiteishostedbyanISP.
Thismeansthatthepersonresponsibleforawebsite(forinstancethewebsiteoftheCouncilofEurope)rentssomestoragecapacityfromanISPforstoringitswebsiteandmakingitavailable.
ItalsomeansthattheISPrepliestoInternetusers'requestsforwebpagesonbehalfoftheCouncilofEurope.
Consequently,thepersonwho"runs"thewebsite(inthiscasetheCouncilofEurope)onlydecidesonwhichinformationwillbemadeavailableonthewebsite,butdoesnothim/herselfcarryoutanykindofoperationinvolvingthetransmissionorroutingofsignalsontelecommunicationsnetworks.
Wheregoodsorservicescanbeorderedthroughawebsite,thepersonresponsibleforthesitewillprovidethoseservices/goods.
Thetelecommunicationsservicesassuchwillnotnormallybeprovidedbythepersonresponsibleforthesite,butbytheISP.
Itcanthereforebesaidthatwebsitesaresubscriberstothetelecommunicationsservices(transmission)ofthewebhostingISPbutdonotthemselvescarryoutanyoftheseservices.
Directive97/66/ECisapplicabletotheISP'sassuchbutnottothewebsites,towhichthegeneraldirectiveapplies.
PortalservicesAportalsiteprovidesanorderedoverviewofweblinks.
TheInternetusercaneasilyvisitselectedwebsitesofothercontentprovidersviatheportalvisited.
AportalsiteishostedbyanISP.
InsomecasestheportalsitebelongstotheISP(forinstanceworldonline.
nl);inotherstheISPhoststheportalsiteforathirdpartywhichprovidesthecontent.
InbothcasesitistheISPwhichprovidesthetelecommunicationsserviceasdefinedinArticle2ofDirective97/66/ECandtowhomthisdirectiveapplies–itdoesnotapplytothecontent-provider.
AdditionalservicesTheprovidersofadditionalservicesdonot,inallcases,fallwithinthescopeofapplicationoftheprivacyandtelecommunicationsdirective.
Someoftheseserviceproviders(likeNedstat)processdatawhichtheycollectfromwebsitesandthensellbacktotheownersofthewebsites.
ThedatatheyprocesscomefromtheInternetbuttheiractivitydoesnotinprincipleinvolvethetransmissionorroutingofsignalsontelecommunicationnetworks.
TheydonotthereforeplayanessentialroleinthecommunicationsprocessbetweentheInternetuserandthewebsite.
Ifthedatatheyprocessonlyconsistofaggregatednon-identifiabledata,itcouldevenbesaidthattheydonotcomeunderthegeneraldirectiveasnopersonaldatawouldbeinvolved.
ActorslikeDoubleclick,EngageorGlobaltrashplaceadvertisementsinrequestedpages.
NormallythereisacontractualagreementbindingtheseadvertiserstotheISPhostingthewebpagesinwhichbannersareplaced.
Forthispurpose,technicallyspeakingeverytimeawebsiteisaccesseditcontactstheadvertiser(hyperlinkbyautomaticmeans)sothatthiscanplacebannersontherequestedpages.
25Additionally,theadvertisercanplacecookiefilesontheharddiskoftheInternetuserinordertoconstructprofilesofvisitorstothesite,sothatcustomisedbannerscanbeplacedonthewebpage36.
ItisunclearwhetherthecoreactivitiesofDoubleclick,Engageandotheradvertiserscanberegardedasatelecommunicationsserviceornot.
ItappearsthattheydonottransmitandroutesignalsasdefinedinArticle2ofthetelecomsdirective.
Theyprovidecontentinformationtobeplacedontherequestedwebpages,makinguseoftheavailabletelecommunicationsinfrastructureandnetworks.
Thisis,inanycase,agoodexampleofasituationinwhichtheexistingdefinitionoftelecommunicationsservicesisdifficulttoapplytoInternet-relatedservices.
II.
Therevisionofthetelecomsdirective:thedefinitionof"electroniccommunicationservices"TheEuropeanCommissionannouncedin1999inacommunication37itsintentiontocarryoutageneralreviewoftheexistinglegalframeworkfortelecommunicationsatEuropeanlevel.
Withintheframeworkofthisgeneralreviewofthelegalframeworkfortelecommunications,theexistingdirectiveontheprocessingofpersonaldataandtheprotectionofprivacyinthetelecommunicationssectorwillalsoberevisedandupdated.
TheArticle29WorkingPartyhasalreadymadepublicsomethoughtsconcerningthisrevisioninitsopinion2/2000,presentedbytheInternetTaskForceandadoptedon3rdFebruary200038.
ThetextoftheEuropeanCommission'sCommunicationpointedoutthattheplannedreviewwouldpayspecialattentiontotheterminologyusedbyDirective97/66/ECinordertomakeitclearthatnewservicesandtechnologiesarecoveredbythisDirective,thusavoidingpossibleambiguitiesandfacilitatingtheconsistentapplicationofdataprotectionprinciples.
Initsopinion2/2000,theWorkingPartywelcomedsuchare-examinationoftheterminologyforthesepurposes.
TheproposalforadirectiveontheprocessingofpersonaldataandtheprotectionofprivacyinelectroniccommunicationsserviceswaspublishedbytheCommissionon12July200039.
TheEuropeanCommissionpressrelease40underlinesthefactthatoneoftheobjectivesofthenewpackageistoensuretheprotectionoftherighttoprivacyontheInternet.
Thisproposalnolongerrefersto"telecommunicationsservices",butto"electroniccommunicationsservices".
Theexplanatorymemorandumtotheproposalmentionsthatthischangewasnecessarytoaligntheterminologywiththeproposeddirectiveestablishingacommonframeworkforelectroniccommunicationsservicesandnetworks41.
Theterm"electroniccommunicationsservices"isnotdefinedintheproposedprivacyandtelecommunicationsdirectivebutinArticle2b)oftheproposeddirectiveestablishingacommonframeworkforelectroniccommunicationsservicesandnetworks.
36Thebook"NetWorth"(opcit.
)mentionsinpage275:"Becausecookiescanalsobeusedtomatchbrowsinghabitsandpreferences,theyareincreasinglybeingusedtotargetadvertisementstospecificpeople.
Indeed,Doubleclick,GlobaltrashandADSmartareexamplesofcompaniesthatusecookiestotargetadvertisementstoconsumersattheirenabledwebsites.
"37DocumentCOM(1999)539.
38Opinion2/2000concerningthegeneralreviewofthetelecommunicationslegalframework,presentedbytheInternetTaskForce,adoptedon3rdFebruary2000,WP29,5009/00/EN/final.
39DocumentCOM(2000)385.
40Commissionproposesoverhaulofrulesforelectroniccommunication,Brussels12July2000,IP/00/749.
41COM(2000)393.
26Thenewdefinitionreadsasfollows:Electroniccommunicationsservicesmeansservicesprovidedforremunerationwhichconsistwhollyormainlyinthetransmissionandroutingofsignalsonelectroniccommunicationsnetworks,includingtelecommunicationsservicesandtransmissionservicesinnetworksusedforbroadcasting,butexcludingservicesproviding,orexercisingeditorialcontrolover,contenttransmittedusingelectroniccommunicationsnetworksandservices.
Thenewdefinitionisactuallybasedonthesamecoreideaasthepreviousone(thetransmissionandroutingofsignalsonelectroniccommunicationsservices)buttheinclusionofalistofexamplesofservicesincludedandexcludedfromthedefinitionisveryhelpfulasitshedslightonthediscussionsoutlinedintheprevioussection.
Itcanbeconcludedfromthelistincludedinthenewdefinitionthatthosewhoprovidecontenttransmittedusingelectroniccommunicationsnetworksandserviceswillnotfallwithinthescopeofapplicationoftherevisedprivacyandtelecommunicationsdirective.
Thisisconfirmedbythepreambletotheproposeddirectiveestablishingacommonframeworkforelectroniccommunicationsservicesandnetworks(recital7)inwhichitisstatedthatitisnecessarytoseparatetheregulationoftransmissionfromtheregulationofcontent.
Itis,however,statedthatthisseparationshouldnotoverlookthelinksexistingbetweenthem.
ThemainconsequenceofthisseparationisthatadditionalservicessuchasDoubleClickorthosewhichprovidecontenttoaportalorawebsite(butnothostthem)arecoverednotbythisdirective,butonlybythegeneralone.
ItalsomeansthatInternetServiceProvidersarecoveredbythespecificdirectiveinsofarastheyactasAccessProvidersandprovideconnectiontotheInternet,andareonlycoveredbythegeneraldirectivewhenactingascontentproviders42.
Theadvantangeoftheclearseparationbetweenregulationofcontentandtransmissionistheclaritythatitbringswithit.
Inpractice,however,itwillbelesseasytoworkwithsuchaseparation;thinkforinstanceaboutthecaseofanInternetServiceProviderthatalsoprovidescontent,byhostingitsownportalsite.
ThisISPwillthenhavetoapplythegeneraldirectivetoallitsactivitiesandthespecificdirective(whichentailsspecificobligations)totheactivitiesinwhichitplaystheroleofaccessprovider.
Anotherinterestingaspectofthenewdefinitionof"electroniccommunicationsservices"isthereferencetothefactthattheserviceshouldbeprovidedforremuneration.
Neitherthepreamblenortheexplanatorymemorandumrefertotheinclusionofthistermorgiveanyguidanceastohowtointerpretit.
ThiscouldbeintepretatedasmeaningthatFreeAccessProviders(FAPs)wouldfalloutsidethescopeofapplicationoftherevisedprivacyandtelecommunicationsdirective,astheydonotreceiveremuneration(oratleastnotfinancial)fromInternetusers.
ThisinterpretationishowevernotcorrectsinceithasbeenmadeclearinthejurisprudenceoftheEuropeanCourtofJustice,whendealingwithservicesinthesenseofarticle50(exarticle60)oftheECTreaty43,thattheremunerationdoesnotnecessarilyhastobepaidbytherecipientoftheservice;itcanforinstancealsobepaidbyadvertisers.
InthecaseoftheFAPsthosewhoplaceadvertisementsorbannersintheInternetpagesaretheoneswhoinfactofferaremunerationtotheFAPs.
Itisthereforeclearthattheseservicesfallunderthedefinitionofelectroniccommunicationsserviceandthereforeunderthescopeofthedirective.
42Thisaspectisnotconsideredinthispaper.
43CaseC-109/92Wirth[1993]ECRI-6447,15.
27ItwouldhoweverbedesirabletoclarifythisissueinthetextofthedirectivesincenoeveryreaderofthetextisawareoftheinterpretationofthistermgivenbytheEuropeanCourtofJustice.
Thiscouldbedoneforinstanceinthepreambletothedirective.
III.
OtherlegalprovisionsapplicableTherearealsoanumberofotherCommunityregulationsthatdealwithsomeaspectsrelatedtotheInternet.
Thefollowinginstrumentscanbementioned:Directive1999/93/EConaCommunityframeworkforelectronicsignatures44,Directive97/7/EContheprotectionofconsumersinrespectofdistancecontracts45andDirective2000/31/EConcertainlegalaspectsofinformationsocietyservices(Directiveonelectroniccommerce)46.
However,mostoftheseregulationsdonotlaydownextensivespecificrulesfordataprotectionand,inmostcases,leavetheregulationofthismattertothespecificDirectives.
Forinstance,theelectroniccommerceDirectivelaysdown,inRecital14,that"theprotectionofindividualswithregardtotheprocessingofpersonaldataissolelygovernedbyDirective95/46/ECandDirective97/66/ECwhicharefullyapplicabletoinformationsocietyservices(.
.
.
)andthereforeitisnotnecessarytocoverthisissueinthisDirective",andinArticle1.
5b)that"thisDirectiveshallnotapplytoquestionsrelatingtoinformationsocietyservicescoveredbyDirectives95/46//ECand97/66/EC".
Recital14ofthee-commerceDirectiveunderlinesthefactthattheimplementationandapplicationofthisDirectiveshouldbemadeinfullcompliancewiththeprinciplesrelatingtotheprotectionofpersonaldata,inparticularasregardsunsolicitedcommercialcommunicationsandtheliabilityoftheintermediaries.
ThisDirectivecannotpreventtheanonymoususeofopennetworkssuchastheInternet.
Nevertheless,Article8oftheelectronicsignatureDirectiveenactssomespecificdataprotectionrulesforcertificationserviceprovidersandnationalbodiesresponsibleforaccreditationorsupervision.
ThisArticleobligestheMemberStatestoensurethatcertificationserviceprovidersandnationalbodiesresponsibleforaccreditationorsupervisioncomplywiththerequirementsofthegeneraldataprotectiondirective.
Furthermore,thisprovisionstatesthatcertificationserviceproviderswhoissuecertificatestothepublicmayonlycollectpersonaldatadirectlyfromthedatasubject,oraftertheexplicitconsentofthedatasubject,andonlyinsofarasitisnecessaryforthepurposesofissuingandmaintainingthecertificate.
Thedatamaynotbecollectedorprocessedforanyotherpurposeswithouttheexplicitconsentofthedatasubject.
ThethirdparagraphofArticle8ofthisdirectiveisespeciallyimportant.
Itdeclaresthat,withoutprejudicetothelegaleffectgiventopseudonymsundernationallaw,MemberStatesshallnotpreventcertificationserviceprovidersfromgivingapseudonyminthecertificateinsteadofthesignatory'sname.
ThepreambletothisDirective(recital24)emphasisestheimportanceofcertificationserviceprovidersobservingdataprotectionlegislationandindividualprivacyinordertoincreaseuserconfidenceinelectroniccommunicationsandelectroniccommerce.
44Directive1999/93/ECof13December1999onaCommunityframeworkforElectronicsignatures,OfficialJournaloftheEuropeanCommunities,19January2000,L13/12to13/20.
45Directive1997/7/ECof20May1997ontheprotectionofconsumersinrespectofdistancecontracts,OfficialJournaloftheEuropeanCommunities,4June1997,L144.
46Directive2000/31/ECof8June2000oncertainlegalaspectsofinformationsocietyservices,inparticularelectroniccommerce,intheInternalMarket(Directiveonelectroniccommerce),OfficialJournaloftheEuropeanCommunities,17July2000,L178/1to178/16.
28IV.
ApplicationofnationaldataprotectionlegislationanditsinternationaleffectsArticle41.
a)andb)oftheDirectiveprovidefortheapplicationofnationalprovisionsofaMemberStatewhere:-"theprocessingiscarriedoutinthecontextoftheactivitiesofanestablishmentofthecontrollerontheterritoryoftheMemberState;whenthesamecontrollerisestablishedontheterritoryofseveralMemberStates,hemusttakethenecessarymeasurestoensurethateachoftheseestablishmentscomplieswiththeobligationslaiddownbythenationallawapplicable;-thecontrollerisnotestablishedontheMemberState'sterritory,butinaplacewhereitsnationallawappliesbyvirtueofinternationalpubliclaw".
TheDirectivespecifiesthatthenotionofestablishmentimpliestherealandeffectiveexerciseofactivitythroughstablearrangements,andthatthelegalformofsuchestablishment(branchorsubsidiarywithalegalpersonality)isnotadeterminingfactorinthisrespect.
Asstatedinarticle41.
c)oftheDirective,datacollectedusingautomatedorotherequipmentlocatedintheterritoryoftheEU/EEAaresubjecttotheprovisionsofCommunitydataprotectionlaw.
Recital20oftheDirectiveprovidesfurtherexplanation:"thefactthattheprocessingofdataiscarriedoutbyapersonestablishedinathirdcountrymustnotstandinthewayoftheprotectionofindividualsprovidedforinthisDirective;whereasinthesecases,theprocessingshouldbegovernedbythelawoftheMemberStateinwhichthemeansusedarelocated,andthereshouldbeguaranteestoensurethattherightsandobligationsprovidedforinthisDirectivearerespectedinpractice".
Whiletheinterpretationofthenotionof"equipment"or"means"hasgivenrisetodebateabouttheirextent,someexamplesundoubtedlyfallwithinthescopeofapplicationofArticle4.
Thiswillbethecase,forexample,foratextfileinstalledontheharddriveofacomputerwhichwillreceive,storeandsendbackinformationtoaserversituatedinanothercountry.
Suchtextfiles,namedcookies,areusedtocollectdataforathirdparty.
IfthecomputerissituatedinanEUcountryandthethirdpartyislocatedoutsidetheEU,thelattershallapplytheprinciplesofthenationallegislationofthatMemberStatetothecollectionofdataviathemeansofthecookie.
Insuchacase,accordingtoarticle42.
,thecontrollerwillalsohavetodesignatearepresentativeintheterritoryoftheMemberState,withoutprejudicetolegalactionswhichcouldbeinitiatedagainstthecontrollerhimself.
.
V.
Conclusions-LargemassesofpersonaldatatowhichthedataprotectiondirectivesapplyareprocessedontheInternet.
-Thegeneraldirectiveappliesinallcaseswhilethespecificdirectiveappliestotelecommunicationsservices.
DeterminingwhenitisatelcommunicationserviceissometimesdifficultduetotheterminologyusedinDirective97/66/EC.
-Therevisionofthelegalframeworkfortelecommunicationshashelpedtoclarifythescopeofapplicationoftheprivacyandtelecommunicationsdirective.
Someaspectsmighthoweverneedsomeadditionalclarifications,especiallythereferencetotheneedtoincluderemunerationinthedefinitionofelectroniccommunicationsservices.
29TheinterpretationgiventothistextbytheEuropeanCourtofJusticeshouldbeexplainedinthepreambletothedirectivetoavoidanypossiblemisunderstandingconcerningthescopeofapplicationofthedirective.
-TheEuropeandataprotectionlegislationhastobeappliedtodatacollectedusingautomatedorotherequipmentlocatedintheterritoryoftheEU/EEA.
30CHAPTER4:ELECTRONICMAILI.
IntroductionItisnoteasytodescribethetechnicalbasicsofe-mailinafewwords.
Thisismainlyduetothefollowingfacts:Therearesomeofficialprotocolsbut,aswiththeHTTPprotocol,thedegreeofprivacyriskwilldependonthewayinwhichtheseprotocolsareactuallyimplemented.
Therearethousandsofdifferente-mailclientorserverprogramsanditappearsverydifficulttodrawoverallconclusions,sincenoreliabledataareavailableontheuseofsuchprograms.
Theinvisibleprocessingoperationsperformedbythoseprogramsare,asindicatedbytheword"invisible",noteasytodetectandtheseprogramsarebecomingsolargeandcomplicatedthatitisalmostimpossibletobesurethatallfunctionalities,eventhemostconcealed,arelisted.
Asaresult,thefollowingdescriptioncannotbeconsideredtobeexhaustive,andwillnotalwaysberepresentativeofwhathappensdailyontensofmillionsofpersonalcomputersconnectedtotheInternetallovertheworld.
II.
ActorsSeveralactorsareinvolvedintheprocessofhandlingane-mail,anddataprotectionissuesneedtobeconsideredbyeachoftheseactorsandateverystepoftheprocess.
Theactorsare47:ThesenderofamessageTherecipientofamessage(holderofane-mailaddress)Thee-mailserviceprovider(MailServerwhichstoresthee-mailsenttoauseruntiltheuserwantstogetit)Thesoftwaresupplierofthee-mailclientprogramforthesenderThesoftwaresupplierofthee-mailclientprogramfortherecipientThesoftwaresupplierofthemailserverprogramIII.
TechnicaldescriptionBasically,auserwhowantstomakeuseofe-mailneedsthefollowing:An"e-mailclient"whichisaprograminstalledontheuser'spc.
Ane-mailaddress(ane-mailaccount)AconnectiontotheInternet47Thetelecomsoperatorisnotspecificallyinvolvedinthee-mailprocessbutplaysakeyroleinconveyingthesignalsthatmakeeveryformofelectronicmailcommunicationpossible.
Thisactorhasspecificsecurityobligationsarisingfromthedirectives.
31Theprocessofsendingane-mailAwidevarietyof"e-mailclients"areavailable,buttheyallneedtofollowtheInternetstandards.
Sendingane-mailbasicallyconsistsofthefollowingsteps:Theusercreatesamessageinhis/her"e-mailclient"andfillsintheaddressfieldoftheaddresseewiththeappropriatee-mailaddress.
Bypressingthe"send"buttoninthee-mailclient,thee-mailwillbetransferredtothemailserverofthecorrespondent(usuallyanorganisation)ortothemailboxattheuser'se-mailaccountbyanISP.
Ifthee-mailisdeliveredtothemailserveroftheorganisation,thismailserverwilltransmitthee-maileitherdirectlytothereceiverortoamailrelayserver("outboundrelaying").
Thee-mailmaypassthroughseveralmailrelayserversuntilitreachesthemailserverofthereceiver.
Thereceiveriseitherdirectlyconnectedtothemailserver(e.
g.
inalocalareanetwork)orhe/sheneedstoestablishaconnectioninordertoobtainthemail.
E-mailaddressesAnelectronicmailaddresshastwopartsseparatedbya"@"character,forexamplejohn.
smith@nowhere.
comorsubs34219@nowhere.
orgTherightpartidentifiesthehostwheretherecipienthasanaccount.
ItisinfactaDNSnamereferringtotheIPaddressofthemailserver.
Theleftpartdescribestheuniqueidentificationoftherecipient.
Itisthenamebywhichtherecipientisknownbythee-mailservice.
Thereisnotechnicalobligationatallforthisidentifiertobetheactualnameoftherecipient.
Itcanbeapseudonymchosenbytherecipientorarandomcodearbitrarilygivenbythemailserverduringtheprocessofregisteringtherecipient.
Fromatechnicalpointofview,identificationisnotnecessarytosendamail.
Infactitappearstobejustliketherealworldwhereanybodycansendaletterwithoutgivinghisorhername.
Whenspamming,thesenderwillnotusuallyuseane-mailaccountbutaccesstheSMTPprotocoldirectly.
Thiswillallowhim/hertoremoveorchangehis/here-mailaddress.
E-mailprotocolsTwoprotocols,inadditiontotheTCP/IPprotocol,areusedfore-mail:1.
ThefirstiscalledSimpleMailTransportProtocol(SMTP)andisusedtoSENDamailfromaclienttothemailserveroftherecipient.
Themailisnotsentdirectlytotherecipient'sclientcomputerbecausethiscomputerisnotnecessarilyswirchedonorproperlyconnectedtotheInternetwhenthesenderdecidestoe-mail.
Thismeansthattoreceiveamail,theInternetusermusthaveamailbox(anaccount)onaserver.
Thisalsomeansthatthemailserviceproviderhastostorethemessageandwaituntiltheaddresseefetchesit.
2.
ThesecondiscalledPOPprotocolandisusedbytherecipienttoestablishaconnectionwiththemailservertocheckifthereissomemailforhim/her.
Todoso,therecipienthastoprovidehis/hermailboxnameandapasswordsothatnobodyelsecanreadhis/hermail.
32Usually,e-mailclientprogramsincludebothprotocolsbecauseanInternetuserwishingtosendmailalsoprobablywishestoreceiveananswer.
IV.
PrivacyRisksAnumberofissuesraisespecificprivacyrisks.
Collectionofe-mailaddressesAsstatedabove,thee-mailaddressisindispensableinestablishingaconnection.
Itisalso,however,avaluablesourceofinformationwhichincludespersonaldataontheuser.
Itisthereforeusefultofindoutaboutdifferentmethodsofcollectinge-mailaddresses.
E-mailaddressescanbecollectedinseveralways:Theproviderofthe"e-mailclient"software,whichispurchasedorobtainedfreeofcharge,couldasktheuserforregistration.
Itisalsopossibletobuildacodeintotheclient'ssoftwarewhichwilltransmithis/here-mailaddresstothesoftwareproviderwithouthis/herknowledge(invisibleprocessing).
Insomebrowsers,therehavebeenreportsofsecurityholeswhichallowawebsitetoknowthee-mailaddressesofvisitors.
Thiscanbedoneviaamaliciousactivecontentusing,forexample,aJavaScript.
Somebrowserscanalsobeconfiguredtosendthee-mailaddressasananonymouspasswordwhenopeningFTPconnections(this,however,isnotusuallyadefaultsetting).
Thee-mailaddresscanberequestedbyvariouswebsitesinvarioussituations(e.
g.
oncommercialsitesinapurchaseorder,forregistrationbeforeenteringachatroom,etc.
).
E-mailaddressescouldbecollectedinpublicspacesontheInternetinvariousotherways48.
Thee-mailcouldbeinterceptedduringthetransmissionofamessage.
TrafficDataItisessentialtodrawadistinctionbetweenthecontentofane-mailandtrafficdata.
Trafficdataarethosedataneededbytheprotocolstocarryoutthepropertransmissionfromthesendertotherecipient.
Trafficdataconsistpartlyofinformationsuppliedbythesender(e.
g.
e-mailaddressoftherecipient)andpartlyoftechnicalinformationgeneratedautomaticallyduringtheprocessingofthee-mail(e.
g.
dateandtimesent,typeandversionof"e-mailclient").
Allorpartofthetrafficdataisplacedinaheader,whichistransmittedtotherecipientalongwiththemessageitself.
Thetransmittedpartsofthetrafficdataareusedbytherecipient'smailserverand"mailclient"tohandletheincomingmailproperly.
Therecipientcouldusethetransmittedtrafficdata(e-mailproperties)foranalysispurposes(e.
g.
tochecktheroutingofthee-mailthroughtheInternet).
48Furtherinvestigationsonspamande-mailaddresscollectinghavebeencarriedoutbytheFrenchDataProtectionAuthority,betterknownasCNIL.
SeeespeciallytheCNILreportonElectronicMailingandDataProtection,October14,1999,availableattheCNILwebsite:www.
cnil.
fr33Thefollowingitemsarenormallyconsideredtobeincludedunderthedefinitionof"trafficdata":e-mailaddressandIPaddressofsendertype,versionandlanguageoftheclientagente-mailaddressofreceiverdateandtimeofsendingthee-mailsizeofthee-mailcharactersetusedsubjectofthemail(thisalsogivesinformationaboutthecontentofthecommunication)name,sizeandtypeofanyattacheddocumentslistofSMTPrelaysusedforthetransmissionInpracticetrafficdataarenormallystoredbythee-mailserversofthesenderandtherecipient.
Theycouldalsobestoredbytherelay-serversinthecommunicationpaththroughtheInternet.
AstrafficdataisnotformallydefinedinDirective97/66/EC,attentionshouldbedrawntothefactthatpersonaldatawhicharenotneededforcarryingoutthecommunicationorforbillingpurposesbutaregeneratedduringthetransmission,couldbewronglyconsideredbysomeInternetactorsastrafficdata,whichtheythinktheycanstore.
TheArticle29WPdealtwithsomeoftheprivacyproblemsrelatedtotrafficdatainRecommendation3/99onthepreservationoftrafficdatabyInternetServiceProvidersforlawenforcementpurposes49.
TheWorkingPartyconsidersthatthemosteffectivemeansofreducingunacceptableriskstoprivacywhilstrecognisingtheneedforeffectivelawenforcement,isthattrafficdatashouldinprinciplenotbekeptonlyforlawenforcementpurposesandthatnationallawsshouldnotobligetelecommunicationsoperators,telecommunicationsservicesandInternetServiceProviderstokeeptrafficdataanylongerthanisnecessaryforbillingpurposes.
TheSpring2000ConferenceofEuropeanDataProtectionCommissionersinStockholmemphasisedinitsofficialdeclarationthefactthat,"wheretrafficdataaretoberetainedinspecificcases,theremustbeademonstrableneed,theperiodofretentionmustbeasshortaspossibleandthepracticemustbeclearlyregulatedbylaw".
E-mailcontentTheconfidentialityofcommunicationsisprotectedbyArticle5ofDirective97/66/EC.
Underthisprovision,nothirdpartyshouldbeallowedtoreadthecontentsofe-mailbetweentwoparties.
Ifthee-mailcontentisstoredatrelay-serversduringtransmission,itshouldbedeletedassoonasithasbeenforwarded.
Ifarelay-serverisnotabletoforwardthee-mail,itcouldbestoredforashortandlimitedperiodonthatserver,untilitisreturnedtothesendertogetherwithanerrormessagestatingthatthee-mailcouldnotbedeliveredtotherecipient.
Thecontentsofane-mailarestoredatthemail-serveruntiltheuser's"e-mailclient"asksforittobedelivered.
Insomecasestheusercanchoosetoleavethee-mailstoredatthemail-serverevenifhe/shehasgothis/herowncopy.
Iftheuserhasnotexercisedthis49Recommendation3/99onthepreservationoftrafficdatabyInternetServiceProvidersforlawenforcementpurposes,adoptedon7September1999,5085/99/EN/final,WP25.
34choice,themailmustbedeletedassoonasthemailservercanbesurethattherecipienthasreceivedit.
Ifavirusscaniscarriedoutinformofcontentscanning,itshouldbesetupautomaticallyonlyforthispurpose.
Thecontentsmustnotbeanalysedforanyotherpurposeandmustnotbedisplayedtoanybody,evenifavirushasbeenfound.
Anotherprivacyriskassociatedwithe-mailisrelatedtotheinabilityofausertoeasilyandeffectivelyremoveane-mailmessagethathaseitherbeensentorreceivedastheoperationofthedeletefunctionwillnotnecessarilyexpungeamailfromthesystem.
Itcaninthatcaseberelativelyeasyforanotheruserofthesamemachineorasystemmanagerinthecaseofanetworkedmachinetoretrieveamessagethattheoriginaluserintendedtodeleteandbelieveshasbeenremovedfromthesystem.
Thisissueisobviouslynotconfinedtoe-mailbutitisparticularlysignificantinthiscontext.
Inordertoaddressthisissuesystemsshouldbedesignedsothattheoperationofthedeletefunctionactuallyexpungesinformationfromthesystem.
Hardwareandsoftwarecanbeusedtomonitorthetrafficonanetwork.
Thisiscalledsniffing.
Thesniffingsoftwareisabletoreadallthedatapacketsonanetworkthuspresentingincleartextallcommunicationwhichisnotencrypted.
Thesimplestformofsniffingcanbecarriedoutusinganordinarypcconnectedtoanetworkusingcommonlyavailablesoftware.
IfsniffingiscarriedoutatcentralknotsorjunctionsintheInternetthiscouldallowforlarge-scaleinterceptionandsurveillanceofe-mailcontentand/ortrafficdatabychoosingcertaincharacteristics,typicallythepresenceofkeywords.
Sniffing,asageneralandexploratorysurveillanceactivity,evenifconductedbygovernmentagencies,canonlybeallowedifitiscarriedoutinaccordancewiththeconditionsimposedbyArticle8oftheEuropeanConventiononHumanRights.
Inthiscontext,itisinterestingtonotethecurrentconcernsexpressedworld-wideaboutpossiblemonitoringofinternationalcommunicationsandthe"Echelon"satelliteinterceptionsysteminparticular.
GlobalsurveillanceistodayahotitemontheEuropeanParliamentagenda50.
InareporttotheDirector-GeneralforResearchattheEuropeanParliament51onthedevelopmentofsurveillancetechnologyandtheriskofabuseofeconomicinformation,itissaidthatthe"Echelon"systemhasbeeninexistenceformorethantwentyyears.
Accordingtothisreport,EchelonmakesheavyuseoftheNSA52andGCHQ53globalInternet-stylecommunicationsnetworkstoletremoteintelligencecustomerstalktocomputersateachcollectionsiteandreceiveresultsautomatically.
AnothercontroversialsurveillancesystemisCarnivorewhich,accordingtotheinformationpublishedbyEPIC54,monitorstrafficatthefacilitiesofInternetserviceprovidersinordertointerceptinformationcontainedintheelectronicmailofcriminalsuspects.
EPICstatesthatCarnivorecanreportedlyscanmillionsofe-mailseachsecondandiscapableofenablinglawenforcementagentstointerceptallofanISPcustomer'sdigitalcommunications.
SeriousquestionshavebeenraisedintheAmericanCongress,inthemediaandintheprivacycommunityaboutthelegalityofCarnivoreanditspotentialforabuse.
InresponsetothepublicuproaroverCarnivore,AttorneyGeneralJanetReno50Formoreinformation,seetheEuropeanParliamentCommitteeonCitizens'FreedomsandRights,JusticeandHomeAffairs:http://www.
europarl.
eu.
int/committees/en/default.
htmSeealsoEPICAlert7.
07,20April2000.
51ReportInterceptionCapabilities2000,May1999.
52NationalSecurityAgency,USA.
53BritishcounterpartoftheNSA.
54EPICAlert7.
15,August3,2000.
35announcedonJuly272000thatthetechnicalspecificationsofthesystemwouldbedisclosedtoa"groupofexperts"toallaypublicconcerns.
ThediscussionaboutglobalsurveillanceofcommunicationsisalsoontheagendaintheCouncilofEurope.
TheCommitteeofExpertsonCrimeinCyberspacereleasedits"DraftConventiononCyber-crime"onApril27200055.
ThisconventionwouldfacilitatethecollectionofinformationbyrequiringcompaniesthatprovideInternetservicestocollectandstoreinformationforlawenforcementagencies.
Itwouldrequireinternationalexchangeofsuchinformationbetweengovernmentalauthoritiesindifferentfieldsofjurisdiction,evenwiththosewhicharenotpartiestotheEuropeanConventionofHumanRightsortootherinstrumentsoftheCouncilofEuropeortheEUinthefieldofdataprotection.
Sofar,norequirementonsubstancetoprotectthefundamentalrighttoprivacyandpersonaldatainthirdcountriesreceivingpersonaldataaboutEUcitizensisforeseennorbasicprinciplesformeetingfundamentalhumanrightsstandardsuchasnecessityorproportionalityareprovidedfor.
Withoutwishingtocommentonthetextofthedraftconventionatthispoint,theWorkingPartywould,however,liketoreiteratethepointofviewstatedbytheEuropeanDataCommissionersinastatementmadeduringtheStockholmconferenceinApril2000.
Thisstatementreadsasfollows:TheSpring2000ConferenceofEuropeanDataProtectionCommissionersnoteswithconcernproposalsthatISPsshouldroutinelyretaintrafficdatabeyondtherequirementsofbillingpurposesinordertopermitpossibleaccessbylawenforcementbodies.
TheConferenceemphasisesthatsuchretentionwouldbeanimproperinvasionofthefundamentalrightsguaranteedtoindividualsbyArticle8oftheEuropeanConventiononHumanRights.
Wheretrafficdataaretoberetainedinspecificcases,theremustbeademonstrableneed,theperiodofretentionmustbeasshortaspossibleandthepracticemustbeclearlyregulatedbylaw.
TheArticle29WorkingPartyhasdealtwiththeprivacyaspectsofinterceptionofcommunicationsinitsrecommendation2/9956.
Inthisrecommendation,theWorkingPartypointsoutthateachinterceptionoftelecommunications,definedasathirdpartyacquiringknowledgeofthecontentand/ortrafficdatarelatingtoprivatetelecommunicationsbetweentwoormorecorrespondents,andinparticularoftrafficdataconcerningtheuseoftelecommunicationsservices,constitutesaviolationofanindividual'srighttoprivacyandoftheconfidentialityofcorrespondence.
Itfollowsthatinterceptionsareunacceptableunlesstheyfulfilthreefundamentalcriteria,inaccordancewithArticle8(2)oftheEuropeanConventionfortheProtectionofHumanRightsandFundamentalFreedomsof4November195057,andtheEuropeanCourtofHumanRights'interpretationofthisprovision:alegalbasis,theneedforsuchameasureinademocraticsociety,andconformitywithoneofthelegitimateaimslistedintheConvention58.
55Thetextofthedrafttreatyisavailableat:http://conventions.
coe.
int/treaty/en/projets/cybercrime.
htm56Recommendation2/99ontherespectofprivacyinthecontextofinterceptionoftelecommunications,adoptedon3May1999,5005/99/final,WP18.
57ItshouldbestressedthatthefundamentalguaranteesrecognisedbytheCouncilofEuropeontheinterceptionoftelecommunicationscreateobligationsforMemberStatesregardlessofthedistinctionsmadeatEuropeanUnionlevelaccordingtotheCommunityorintergovernmentalnatureofthefieldsaddressed.
58CouncilofEuropeConventionNo108alsostipulatesthatinterceptionmaybetoleratedonlywhenitconstitutesanecessarymeasureinademocraticsocietyfortheprotectionofthenationalinterestslistedinArticle9(2)ofthatConventionandwhenitisstrictlydefinedintermsofthispurpose.
36V.
AnalysisofspecialissuesWebmailE-mailsystemsthatusewebpagesasaninterfacearecollectivelyreferredtoas"Webmail"(e.
g.
Yahoo,HotMail,etc.
).
WebmailcanbeaccessedfromeverywhereandtheuserdoesnotneedtomakeaconnectiontoaspecificISP,aswhenusinganordinarye-mailaccount.
Webmailisnormallyfreeofcharge,butinordertoobtainafreeaccountusersareoftenrequiredtosupplytheproviderwithpersonaldata.
FromtheinvestigationscarriedoutbyDataProtectionAuthoritiesitappearstobethecasethatmanyWebmailproviderssellorsharepersonaldataformarketingpurposes.
WebmailusestheHTMLprotocol(insteadofPOP)toreadandcheckthee-mail.
InfactthemessagesaredeliveredonaclassicalHTMLpage.
Thisfeatureallowsthemailserviceprovidertoinclude(graphicallyspeaking,outsidethemessageitself)personalisedadvertisingontheHTMLpagewherethemessageispresented.
Webmailisheavilysponsoredandmanybanneradvertisementsaredisplayed.
AsWebmailsystemsarebasedontheHTTPprotocoltheycanbevulnerabletoso-called"WebBugs",thatis,anattempttounmaskthee-mailidentityofapersonusingembeddedHTMLtagsandcookies.
Webmailprovidersshouldnotincludeinvisiblehyperlinksintowebpageswherethee-mailaccountispartoftheURL.
Otherwise,bydoingthistheywillhelptransmitthee-mailaddressofthedatasubjecttotheadvertisingcompany.
Thisisanotherwayinwhichtheuser'sprivacyisinvadedbyinvisibleprocessing.
DirectoriesThereareseveralservicesontheInternetsupplyingdirectoriesofe-mailaddresses.
Thesepublicdirectoriesaresubjecttothesamerulesasthoseapplicabletotelephonedirectoriesandotherpubliclyavailabledata,aswillbeexplainedinChapter6.
Withintheexistinglegalframework,usersmustbegivenattheveryleasttherighttooptoutofhavinghis/herdataprocessed,inaccordancewithDirective95/46/EC(Article14)andDirective97/66/EC(Article11).
Itshouldbenotedthatthedraftreviseddirectiveconcerningtheprocessingofpersonaldataandtheprotectionofprivacyinthetelecommunicationssectorharmonisestheobligationsofdatacontrollersinthisrespect,andprovideforanopt-inrightindirectoriestobeexercisedbydatasubjects.
TheWorkingPartyconsidersthisanimportantimprovement.
Spam"Spam"canbedefinedasthepracticeofsendingunsolicitede-mails,usuallyofacommercialnature,inlargenumbersandrepeatedlytoindividualswithwhomthesenderhashadnopreviouscontact59.
TheArticle29WorkingPartyhasalreadydealtwiththisissueinitsopinion1/2000oncertainaspectsofelectroniccommerce60.
Theproblemfromthecitizen'spointofviewisthreefold:firstly,thecollectionofone'se-mailaddresswithoutone'sconsentorknowledge;secondly,thereceiptoflargeamountsofunwantedadvertising;andthirdly,thecostofconnectiontime.
59SeeCNILreportonElectronicMailingandDataProtection,October14,1999.
60Opinion1/2000oncertaindataprotectionaspectsofelectroniccommerce,PresentedbytheInternetTaskForce,Adoptedon3rdFebruary2000,5007/00/EN/final,WP28.
37E-mailaddressescanbecollectedinpublicdirectoriesorbymeansofdifferenttechniques.
Forinstancethee-mailaddresscanbedeliveredbytheuserhim/herselfwhenbuyinggoodsorservicesviatheInternet.
Inothercases,e-mailaddressessuppliedbytheusertoonesuppliercanbesoldbythatsuppliertoathirdparty.
IntheopinionoftheWorkingParty,therulesofthedataprotectiondirectiveprovideaclearanswertotheprivacyissuesraisedbyspamandgiveaclearpictureoftherightsandobligationsofthoseinvolved.
Twosituationsshouldbedistinguished:Ifane-mailaddressiscollectedbyacompanydirectlyfromapersonwithaviewtoelectronicmailingbythatcompanyorathirdpartytowhichthedataaredisclosed,theoriginalcompanymustinformthepersonofthosepurposesatthetimeofcollectingtheaddress61.
Thedatasubjectmustalso,asabareminimum,begivenatthetimeofcollectionandatalltimesthereaftertherighttoobjecttothisuseofhis/herdatabyeasyelectronicmeans,suchasclickingaboxprovidedforthatpurpose,bytheoriginalcompanyandlateronbythecompanieswhichhavereceiveddatafromtheoriginalcompany62.
Certainnationallawsimplementingtherelevantdirectivesevenrequirethecompanytoobtainthedatasubject'sconsent.
Therequirementsofthee-commerceDirective'sArticleonunsolicitedcommercialcommunicationscomplementtheserulesatatechnicallevelbyimposingtheobligationtoconsultaregisterontheserviceprovider,withoutdetractinginanywayfromthegeneralobligationsapplicabletodatacontrollers.
Ifane-mailaddressiscollectedinapublicspaceontheInternetitsuseforunsolicitedelectronicmailingwouldbecontrarytotherelevantCommunitylegislation-forthreereasons.
Firstly,itcouldbeseenas"unfair"processingofpersonaldataunderthetermsofArticle6(1)(a)ofthegeneraldirective.
Secondly,itwouldbecontrarytothe"purposeprinciple"inArticle6(1)(b)ofthatdirective,inthatthedatasubjectmadehis/here-mailaddresspublicforaquitedifferentreason,forexampleparticipationinanewsgroup.
Thirdly,giventhecostimbalanceandthenuisancetotherecipient,suchmailingcouldnotberegardedaspassingthebalanceofinteresttestinAticle7(f)63.
Aparticularfeatureofelectroniccommercialmailingsisthatwhilethecosttothesenderisextremelylowcomparedtotraditionalmethodsofdirectmarketing,thereisacosttotherecipientintermsofconnectiontime.
Thiscostsituationcreatesaclearincentivetousethismarketingtoolonalargescale,andtodisregarddataprotectionconcernsandtheproblemscausedbyelectronicmailing.
Thecostofunsolicitede-mailisbornebothbytherecipientandbytheInternetMailprovideroftherecipient(itcanbethewebmailserverortheISPoftherecipient).
Themailserverhastostoreunsolicitede-mailsforawhile.
Therecipienthastopay64todownloadamessagethathe/shedoesnotwantandlosestimeinsortingreceivedmessagesandthrowingawayunsolicitedmails,especiallywhenspammingmessagesarenotidentifiedassuchinthesubjectline(typicallybyputtingan"ADV:"advertisement61Directive95/46/EC,Article1062Directive95/46/EC,Article14.
63Thatprovision(oneofseveralpossiblelegitimategroundsforprocessing)requiresdataprocessingtobe"necessaryforthepurposesoflegitimateinterestspursuedbythecontroller.
.
.
exceptwheresuchinterestsareoverriddenbytheinterestsoffundamentalrightsandfreedomsofthedatasubject".
64Thetelecomsoperatoriftheuserisusingamodem.
Otherwise,iftheuserisusingaleasedline,evenifthecostdoesnotriseimmediately(itisaflatfee)duetoaspammessage,itisclear,fromamacroeconomicviewpoint,thatthetrafficoverheadslinkedtomassivespamarechargedtotheISPswithsubsequentconsequencesonthepriceofleasedlines.
38codeinthefirstcharactersofthesubjectline).
Itisestimatedthatspam(alsoknownasunsolicitedelectronicjunkmail)nowconstitutestenpercentofallworld-widee-mail65.
VI.
Confidentiality,securityaspectsE-mailoffersthesamepossibilitiesforcommunicationastraditionalmail,sothesamerulesapplyastothesecrecyofthecorrespondence.
Everyonehastherighttosendamailtoeverybodyelsewithoutthatmailbeingreadbyathirdparty.
Article5ofDirective97/66/EC,whichcoverscommunicationsandrelatedtrafficdataforexamplesentbye-mail,laysdownobligationsastotheconfidentialityofcommunications.
Inadditiontotheseobligations,Article4ofthesamedirectiveobligestheprovidersoftelecommunicationsservicestotakeappropriatetechnicalandorganisationalmeasurestosafeguardthesecurityoftheirservicesandtoinformusersaboutaparticularriskofabreachofsecurityandanypossibleremedies,includingthecostsinvolved.
Intheoff-lineworld,everyonehasthepossibilityofsendingaletteranonymouslyorunderapseudonym.
Inordertobeabletosendanonymouse-mail,theusercanobtainananonymouse-mailaddressfromseveralprovidersofsuchaservice.
Fromtheuser'spointofview,anumberofissuesarerelevantdependingonthetypeofe-mail:Confidentiality,whichisprotectionofthetransmitteddatatopreventeavesdropping.
Onepossiblewaytoguaranteeconfidentialityisencryptionofthemessagetobesent.
Encryptionanddecryptionarebasedonprogramssupplementingordinarye-mailprograms(plug-ins)ore-mailprogramsandbrowsersofferingthesefacilities.
Thestrengthoftheencryptiondependsonthealgorithmsandkeylengthused.
Integritywhichisaguaranteethatinformationisnotalteredaccidentallyoronpurpose.
Integritycanbeobtainedbycalculatingaspecialcodeonthebasisofthetextandtransmittingthisspecialcodewhichisencryptedalongwiththetextitself.
Thereceivercanthendecryptthecodeand,byre-calculatingthecode,checkifthemessagehasbeenmodified.
Authenticationwhichguaranteesthatauseriswhohe/sheclaimstobe.
Authenticationcanbeverifiedbyexchangingdigitalsignaturesbasedondigitalcertificates.
Thesecertificatesdonotneedtomentiontherealnameoftheuser.
Theycanmentionpseudonyms,asstipulatedinArticle8oftheelectronicsignaturedirective66.
VII.
Privacy-enhancingmeasures67Twokindsoftoolsdeservementioninthischapter:e-mailfiltersandanonymouse-mail68.
1)E-mailfilteringscreensauser'sincominge-mailandonlyletsthroughe-mailsthathe/shehasindicatedhe/shewouldliketoreceive.
Thesesystemsarelargelyusedtoscreenoutspam.
65Seethebook"NetWorth"(opcit),page3.
66Directive1999/93/ECof13December1999onaCommunityframeworkforElectronicsignatures,OfficialJournaloftheEuropeanCommunities,19January2000,L13/12to13/20.
67SeeChapter9onprivacy-enhancingmeasuresformoredetails.
68Seethebook"NetWorth"(op.
cit),page275andfollowing.
39NowadaysseveralcompaniesprovidetoolsthatInternetuserscaninstallontheircomputertoscreenoutunwantede-mail.
Inaddition,severale-mailpackagesallowuserstofiltermessagesastheyarereceivedatthedesktop.
Themosteffectivefiltersarethosethatallowinonlycertaine-mails.
Althoughthissystemworksforthosewhohaveanunchangingnetworkofe-mailcorrespondents,itwouldbecumbersomeforthebulkofthepopulationbecauseeachnewe-mailpartnerwouldhavetobeapproved.
Themorecommonfilteringtechnologiesallowsalle-mailinexceptfore-mailfromcertaindomainnamesore-mailaddressesorwithkeywordsinthesubjectline.
However,persistentsendersfrequentlychangedomainnameore-mailaddressinordertogetaroundthesefilters,especiallybecauseweb-basede-mailaccountsareoftenfreeandeasytojoinandleaveatanytime.
Finally,itisdifficulttoeffectivelyfilterbyusingkeywordsbecausethelikelihoodoferrorisquitehigh.
2)Anonymouse-mailallowsuserstooffertheire-mailaddresson-linewithouthavingtogiveawaytheiridentity69.
ThisserviceiscurrentlyavailablefreeofchargeontheInternetthroughacollectionofcompaniesproviding"remailer"services.
Withtheseservices,theremailerstripsoffauser'sidentityfordeliverede-mail.
Repliestotheanonymouse-mailgototheremailer,whothenmatchestheanonymousaddresswiththeactuale-mailaddressanddeliversthee-mailresponsesecurelytothecustomer.
VIII.
ConclusionsFromthedataprotectionviewpoint,thefollowingissuesregardinge-mailneedtobeaddressed:Invisibleprocessingperformedby"mailclients"andSMTPrelaysThedatasubjectshouldbegiventheopportunitytoremainasanonymousaspossible,especiallywhentakingpartindiscussionfora.
Itappearstobethecasethatthee-mailaddressesofparticipantstotheseforaareveryoftensenttogetherwiththecontentofthemessage70.
ThisisnotinlinewithArticle6ofDirective95/46/EC,whichlimitstheprocessingofinformationtothatwhichisnecessaryforalegitimatepurpose71.
PreservationoftrafficdatabyintermediariesandmailserviceprovidersAccordingtoArticle6ofDirective97/66/EC,trafficdatamustbeerasedassoonasthecommunicationhasended.
TheDirectiveprovidesforalimitednumberofexceptionstothisprinciple,forexampleiffurtherprocessingisnecessaryforbillingpurposes72.
InterceptionTheinterceptionofe-mail(communicationandrelatedtrafficdata)isillegal,unlessauthorisedbylawinspecificcasesinaccordancewiththeEuropeanConventionof69ThispaperalsoreferstothiskindofserviceinChapter6(publicationsandfora),initssectionVonprivacy-enhancingmeasures.
70Forfurtherdetails,seeChapter6below.
71ThisprincipleisfurtherdevelopedinRecommendation1/99onInvisibleandAutomaticProcessingofPersonalDataontheInternetPerformedbySoftwareandHardware,adoptedbytheWorkingPartyon23February1999,5093/98/EN/final,WP17.
72SeealsoRecommendationn°3/99onthepreservationoftrafficdatabyInternetServiceProvidersforlawenforcementpurposes,adoptedbytheWorkingPartyon7September1999.
40HumanRightsandDirective97/66/EC.
Ineverycase,largescalesniffingmustbeprohibited.
Theprincipleofspecificity,whichisthecorollaryofforbiddingallexploratoryorgeneralsurveillance,impliesthat,asfarastrafficdataareconcerned,thepublicauthoritiesmayonlyhaveaccesstotrafficdataonacase-by-casebasis,andneverproactivelyandasageneralrule73.
StoringandScanningofe-mailcontentThecontentofe-mailhastobekeptsecretandmustnotbereadeitherbyanyintermediaryorbytheMailServiceProvider,evenforsocalled"networksecuritypurposes".
Ifanti-virusscanningsoftwareisusedtoscanattacheddocuments,thesoftwareinstalledmustoffersufficientguaranteesregardingconfidentiality.
Ifavirusisfound,ServiceProvidershouldbeabletowarnthesenderofthepresenceofthevirus.
Evenifthisisthecase,thee-mailserviceproviderisnotallowedtoreadthecontentofthemessageorattachments.
TheArticle29WorkingPartystronglyrecommendsencryptingthecontentofe-mails.
Thisisparticularlyimportantwhenitcontainssensitivepersonaldata.
User-friendlytoolsforencryptingthecontentofe-mailmessagesshouldbeavailablefromprovidersofe-mailservicesatnotadditionalcost.
Atthesametime,providersshouldofferuserstheopportunitytodownloade-mailsfromthemailserveroftheprovidertotheclientoftheuserthroughasecureconnection.
Theneedforintegrityandauthenticationshouldbeconsideredaswell.
Unsolicitede-mails(spam)Ifane-mailaddressiscollectedbyacompanydirectlyfromapersonwithaviewtounsolicitedelectronicmailingbythatcompanyorathirdpartytowhichthedataaredisclosed,theoriginalcompanymustinformthepersonofthosepurposesatthetimeofcollectingtheaddress.
Thedatasubjectmustalsobegivenatthetimeofcollectionandatalltimesthereaftertherighttoobjecttothisuseofhis/herdatabyeasyelectronicmeans,suchasclickingaboxprovidedforthatpurpose,bytheoriginalcompanyandlateronbythecompanieswhichhavereceiveddatafromtheoriginalcompany.
Ifane-mailaddressiscollectedinapublicspaceontheInternetitsuseforelectronicmailingwouldbecontrarytotherelevantCommunitylegislation.
E-maildirectoriesAsinthecaseoftelephonedirectories,thedatasubjectmustpresentlyhaveatleasttheabilitytooptout,inaccordancewiththeabovementionedprinciplesofpurposelimitation(Article6.
1bofDirective95/46/EC)andtherighttooptoutofdirectories(Article11ofDirective97/66/EC).
Furthermore,thedatasubjectshouldhavethepossibilitytojoinaspecialdirectoryofe-mailaddressesnottobeusedfordirectmarketingpurposes.
Itisimportanttobearinmindthatthisrighttooptoutshallbechangedintoanopt-inrightinthecurrentversionoftheproposalforaDirectiveontheprotectionofprivacyinthetelecommunicationssector;thisconstitutesasubstantialimprovementforthedatasubjects.
73SeeinthiscontexttheWorkingPartyrecommendation2/99ontherespectofprivacyinthecontextofinterceptionoftelecommunications,adoptedon3May1999,5005/99/final,WP18.
41CHAPTER5:SURFINGANDSEARCHINGI.
IntroductionPerhapsthemostcommonactivityofInternetusersisvisitingwebsitesforthepurposeofcollectinginformation.
Thisinvolvespassivelyviewingthecontentofawebpage.
Itisalsopossibletointeractwithwebsitesinamoreactiveway.
OftentheInternetuserhastoclickthroughviaahyperlink,pushonanadvertisementonthescreen(banner)orfillinfurtherinformationonaform.
Alloftheseactivitieswillbecollectivelyreferredtoas'websurfing'.
InpracticethisisdonebymeansofawebbrowserthatconnectstheInternetusertoawebserversomewhereontheInternet.
Fromadataprotectionperspective,threemajorquestionscanbeasked:WhatinformationontheInternetuser'sactivitiesisgeneratedduringwebsurfingWhereisthisinformationstoredWhatinformationisrequestedforservicesdeliveredbywebsitesThelastissueconcernspersonaldatathatanInternetuserwillinglydisclosesandthecorrespondingconditions,butwillnotbediscussedhere,asthischapterfocusesonthepersonaldatainherentinthe(technical)processofwebsurfing.
Thesubsequentstepsinthewebsurfingprocessaresketchedout,andanindicationgivenofthepersonaldatagenerated.
II.
TechnicaldescriptionandactorsinvolvedTheprocessofwebsurfingTelecomsproviders.
InordertocontactawebsiteanInternetusergenerallycontactstheInternetbyatelephoneconnectiontoanInternetServiceProvider(ISP).
ThetelecomproviderlogsthecalltotheISP.
InternetAccessProvider.
TheentrypointtotheISPisthenetworkaccessserver.
ThisservergenerallyrecordstheCallingLineIdentificationoftheconnection.
MostIAP'slogtheloginname,loginandlogouttimesandtheamountofdatatransferredduringasession.
ItshouldbenotedthatinsomecasesthetelecomsproviderisalsotheIAP.
AllocationoftheIPaddress.
OncethecontactwiththeIAPhasbeenestablished,theIAPallocatesadynamicIP-addressforthedurationoftheInternetuser'ssession74.
HenceforthallcommunicationduringasessionistoandfromthisIP-address.
TheIPnumberiscarriedwithallthepacketstransmittedinallsubsequentstagesofcommunication.
ItshouldbenotedthattheallocatedIPnumberisalwayswithinacertainrangeofnumbersallocatedtotherespectiveIAP.
HenceexternalpartiescaneasilyretrievetheIAPfromwhichIP-packetsoriginate7576.
Afterthis,theInternettrafficissortedattheISPbytheso-calledportnumber,whichspecifiestheserviceandcorrespondingprotocol.
ArequesttovisitawebsiteisgenerallydonethroughtheHTTPprotocol.
AttheISPthistrafficisrecognisedbyacorresponding74SometimesstaticIP-addressesareusedforthesameuseroveralongperiod.
StaticIP-addressesareoftenusedwhenalternativeaccesstechnologies(ADSL,cable,mobile)areused.
Sincethesearebecomingmorewidespread,therelativeuseofstaticIP-adressesisgrowing.
75Insomecases,otherparties,suchasuniversities,organisationsorcompaniesmaythemselvesplaytheroleofISP.
76Tosomeextent,IP-addressesarealsoallocatedgeographically.
42portnumber.
ItmayalsobetransferreddirectlytoarouterwhichconnectstheInternetuserwiththeexternalwebsitesrequired.
Therequestisoftentransferredtoadedicatedproxyserver.
Thisserverlogstherequestforacertainwebsite.
Theproxyservercontainsacopyofthecontentofthemostfrequentlyvisitedwebsites.
IfthewebsiterequestedbytheInternetuserisintheproxyserver,thisserveronlyneedstoprompttherespectivewebsiteforanupdateofanychangessincethemomentthecopywasstoredintheproxy.
ThismeasurestronglyreducestheamountofdatatobeexchangedbetweentheISPandthewebsite,sinceitonlycommunicatesthechangesinsteadofthefullpages.
TheproxyservermaystoreadetailedlistofthevisitstowebsitesconnectedtoanIP-addressatagiventime.
ThesecanbelinkedtoanindividualuserbytheIP-addressandtheloggingofthesessiontimes.
Routers.
OnthepathbetweentheISPandthewebsitevisited,thetrafficgenerallypassesthroughseveralroutersthatdirectthedatabetweentheIP-addressoftheInternetuserandtheIP-addressofthewebsite.
Withregardtothestorageofpersonaldata,theseroutersareconsideredasneutralelements,eventhoughdedicatedfacilitiescouldbeappliedtointercepttheInternettrafficatthesepoints.
Regularwebsites.
Oncetheconnectionwiththewebsitehasbeenestablished,thewebsitecollectsinformationonthevisitingInternetuser.
AllrequestsareaccompaniedbythedestinationIP-address.
ThewebsitealsoknowsfromwhichpageanInternetuserhasbeentransferred(thepreviouspagereference,orURL,isknown).
Theinformationonwebsitevisitsisgenerallystoredinthe'CommonLogFile'.
Alltheabovementionedinformationcanbeusedtocreate,bymeansofaloganalyser,accumulatedinformationonthetraffictoandfromawebsiteandtheactivitiesofvisitors.
Uponconnectionwithawebsite,someadditionalinformationiscollectedinthecommunicationbetweenthemostcommonbrowsersoftwareusedbyInternetusersandthewebsitesvisited.
Thisisoftenreferredtoas'chatteringdata.
'Itgenerallyincludesthefollowingitems77:-Operatingsystem-Typeandversionofbrowser-Protocolsusedforwebsurfing-Referringpage-Languagepreferences-CookiesThewebsitehasadditionalgatheringpowerifitpostsso-calledcookies78.
ThesearepiecesofdatathatcanbestoredintextfileswhichmaybeputontheInternetuser'sharddisk,whileacopymaybekeptbythewebsite.
TheyareastandardpartofHTTPtraffic,andcanassuchbetransportedunobstructedwiththeIP-traffic.
Acookiecancontainauniquenumber(GUI,GlobalUniqueIdentifier)whichallowsbetterpersonalisationthandynamicIP-adresses.
Suchcookiesextendthecapabilityofwebsitestostoreand'personalise'informationontheirvisitors.
Thecookiemaybere-readonaregularbasisbythesitetoidentifyaInternetuserandrecognisehim/herwhenhe/shevisitsagain,checkpossiblepasswords,analysethepathduringasessionandwithinasite,recordtransactions,suchasArticlespurchased,customiseasiteetc.
Cookiescandifferinnature:theycanbepersistentbutcanalsohavealimitedduration,whentheyarecalled"sessioncookies".
Insomecases,theymaybeusefulforproviding77Formoredetails,seeChapter2above.
78Inthiscasewerefertopersistentcookies,i.
e.
cookiesthatpersistforlongerthanonesession.
43acertainservicethroughtheInternetortofacilitatethesurfingoftheInternetuser.
Forinstance,certaincustomwebsitesrelyoncookiestoidentifyuserseachtimetheyreturn,sousersdonothavetologintothewebsiteeachtimetheychecktheirnews.
Theprivacyimplicationsoftheuseofcookiesshouldhowevernotbeunderestimated.
Thisissuewillbedealtwithinthelegalanalysissectionofthischapter.
PortalsitesBecauseofthegrowingcomplexityoftheInternet,Internetusersoftenconnecttoawebsiteviaaso-calledportalsite,whichprovidesanoverviewofweblinksinanorderedway.
Oftensuchportalscontainlinkstocommercialsites,andcouldbecomparedtoashoppingmallhostingmanystores.
Theportalsitescollectinformationinthesamewayaswebsitesingeneral,butmayalsostoreinformationonvisitstoallthesites'behind'theportal.
AportalsiteisalwayshostedbyanInternetServiceProviderandinsomecasescanbelongtotheISP.
Insuchcases,theISPhasthepossibilityofcollectingdataonauser'svisitstosites"behind"thisportalandcanthereforecreateacompleteprofileoftheuser.
TheDutchDataProtectionAuthority(Registratiekamer)concludedinareport79abouttheInternetandprivacy,basedoninvestigationsinto60ISPsintheNetherlands,thatitispossibleforthecontentprovider(inthiscasetheISPthatownsaportal)toknowhowmanyadvertisementshavebeenplaced,howoftenauserhasvisitedane-shop,whichproductshe/shehasboughtandhowmuchhe/shehaspaidforthem.
ProvidersofadditionalservicesThedatacollectedbywebsitesissometimes(automatically)transferredtoathirdpartytotheoriginalcommunication(e.
g.
companiesspecialisedintheanalysisofwebstatistics,suchasNedstat).
Thepurposecanbetocreateaccumulatedstatisticaldataonvisitstothewebsite,whichissoldbacktotheowneroftherespectivewebsites.
Advertisementbannersgenerallycollectinformationonthewebsitesvisitedbyapersonbymeansofcookie-files.
ServiceproviderslikeDoubleClickorGlobaltrashaccumulatetheinformationonwebsitevisitstoallthedifferentsitesonwhichtheyputadvertisements.
AprofileoftheInternetusers'preferencescanbecompiledwiththesedata,andsubsequentlyusedtocustomisewebpages.
SurfingfromtheperspectiveoftheInternetuserAPCinstalledwithbrowsersoftwarewillinmanycases,afterstartingup,automaticallyloadaselectedstartingpagefromtheweb.
Thisstartingpagemaycontainhyperlinksthatcanbeactivatedtovisitotherwebsitesorsearchengines.
Whilebrowsing,thebrowserprogrammeoftheInternetusersendsarequesttoaserver(thatcanbelocatedanywhereintheworld)totransmitaspecifiedwebpage(markedbyitsURL)thatishostedbythiswebserver.
ByclickingonahyperlinktheInternetuserinfactdownloadstherequestedwebpagetohis/hercomputer.
Afterhavingconnectedtohis/herISP,theInternetusergenerallychoosesoneofthefollowingapproacheswhensurfing:DirectlyaddressingthewebsiterequiredbyenteringtheURL,suchaswww.
amazon.
com.
TheURLalsocontainstheprotocol.
79SeetheRegistratiekamerreport(ARTZ,M.
J.
T.
andVANEIJK,M.
M.
M.
),Klantinhetweb:PrivacywaarborgenvoorInternettoegang,Achtergrondstudiesenverkenningen17,June2000,availableat:www.
registratiekamer.
nlThisreportunderlinesthefactthatintheNetherlandsalmosteachaccessproviderhasitsownhomepagethatisalsousedasportaltostartsurfing.
44Reachingthewebsiteviaareferring(portal)sitethatcontainshyperlinkstowardsothersites.
TheseportalservicesarebecomingmorepopularasthenumberofwebpagesisgrowingandInternetusersneedmoreguidancetofindinterestingmaterial.
Retrievingrelevantsitesbyfirstenteringaquerytoawebsiteusingasearch-engine.
Searchenginesuseindexingbymeansofkeywords.
Theuserentersoneormorekeywordsandinitiatesthesearch.
ThesearchenginethensearchesforthetitlesofthecorrespondingsitesandtheirURLaddressesinitsownindexdatabase.
ThesearchenginehasthepowertoassemblepersonalprofilesasitaccumulatesthesearchtermsenteredbyanInternetuserandthewebsitesconsequentlyvisited.
Thepersonalisationisoftendonebymeansofcookies.
SeveralsearchenginesalsooffermorepersonalisedserviceswherebyanInternetuserisrequiredtoprovideinformationonpersonalpreferencesinordertoget,forexample,regularupdatesofwebsitesonacertaintopic80.
OverviewofthemostrelevantdatageneratedandstoredindifferentpartsofthewebsurfingprocessDatageneratedand/orstoredRemarks1.
TelecomsproviderTrafficdataofconnectiontoISPMaybethesamepartyasISP2.
ISP:NetworkAccessServerCLI,IP-address,sessiondata3.
ISP:ProxyWebpagesvisitedbyIP-addressatacertaintime4.
RoutersIP-address5.
WebsitesIP-addressPreviouspageURLSessiondata(time,typeoftransaction)NamesandsizesoffilestransferredCookiesAssembledinthe'ExtendedCommonLogFile'6.
PortalsCollectiveinformationaboutvisitstothewebsitesitreferstoCookiesPossibilityofcreatingfullprofilesofusers(communicationandbehaviouraldataoftheuseravailabletotheISP)7.
ServiceProviders(incl.
searchengines)CollectedloganalysisfromwebsitesData/profilesfromwebsitesaccumulatedviacookiesSearchengines:keywordsenteredbytheInternetusere.
g.
NedState.
g.
DoubleClickIII.
PrivacyrisksMillionsofInternetusersaroundthewordoftensurftheWorldWideWeborsearchforinformationontheInternet.
Theseactivitiesare,however,notrisk-freefromaprivacypointofview.
80InthiscontextitisrelevanttomentiontheCommonPositiononsearchenginesadoptedbytheInternationalWorkingGrouponDataProtectionandTelecommunicationsadoptedattheHongKongmeetingonthe15thofApril1998,availableat:http://www.
datenschutz-berlin.
de/doc/int/iwgdpt/pr_en.
htm45InthecontextoftheInternet,alotofinformationiscollectedandprocessedinamannerwhichisinvisibletothedatasubject.
TheInternetuserissometimesnotawareofthefactthathis/herpersonaldatahavebeencollectedandfurtherprocessedandmightbeusedforpurposesthatareunknowntohim/her.
Thedatasubjectdoesnotknowabouttheprocessingandhasnofreedomtodecideonit.
81AdditionalrisksexistwhendatacollectedduringthesurfingactivitiesofInternetuserscanbelinkedwithotherexistentinformationonthesameuser.
ThefearofsuchaconnectionofpersonaldataconcerningInternetusershasbeenverypresentinthediscussiononthemergerbetweenInternetadvertiserDoubleClickandmarketresearchfirmAbacusDirect.
Itwasfearedthat,shouldthetwofirmsmerge,theDoubleClickdatabasecontainingdataonInternetusagehabitswouldbecross-referencedwiththeAbacusDirectdatabasecontainingrealnamesandaddresses,aswellasdetailedinformationoncustomerbuyinghabits82.
ThismergertookplaceinNovember1999.
AccordingtotheinformationprovidedontheDoubleclickwebsite83,nameandaddressinformationvolunteeredbyauseronanAbacusAlliancewebsiteweretobelinkedbyAbacusthroughtheuseofamatchcodeandtheDoubleClickcookiewithotherinformationaboutthatindividual.
InformationintheAbacusOnlinedatabaseincludestheuser'sname,address,retailcatalogueandonlinepurchasehistory,anddemographicdata.
Thedatabasealsoincludestheuser'snon-personally-identifiableinformationcollectedbywebsitesandothercompanieswithwhichDoubleClickdoesbusiness.
AccordingtoDoubleClick,nolinkhasbeenmadeuptonowbetweentheDoubleClickandtheAbacusdatabases.
NewmonitoringsoftwareNewmonitoringtechnologiesarebecomingavailabletoISPswhichwillgeneratefarmoreinformationabouttrafficpatternsandcontentpreferencesthanexistedinthepublicswitchedtelecommunicationsnetwork(PSTN).
SuchtechnologiespromisetodelivertheInternetequivalentofPSTNcall-detailrecords,andmore.
ThesekindsofsoftwareprogramsarepopularlyknownasE.
T.
applications"becauseoncetheyhavelodgedintheuser'scomputerandlearnedwhattheywanttoknow,theydowhatStevenSpielberg'sextra-terrestrialdid:phonehome"84.
Togivenanexample,Narus,aprivatesoftwarecompanyinPaloAlto,Californa(USA),offerssoftwaretoISPsthat'monitorsthedatastreamandparseseachpackettoextractpacketheaderandpayloadinformation85.
Narusclaimstoworkcloselywithkeypartners,includingBull,CiscoandSunMicrosystems.
ThissoftwarecanbeusedfortheidentificationandmeasurementofInternettelephonyandotherapplications(eg,theweb,e-mailorIPfax),butitalsoaimstomonitorpotentiallybillablecontentwithintheIP81TheArticle29WorkingPartyhasalreadydealtwiththistopicinitsrecommendation1/99,adoptedon23February1999:Recommendation1/99onInvisibleandAutomaticProcessingofPersonalDataontheInternetPerformedbySoftwareandHardware,adoptedbytheWorkingPartyon23February1999,5093/98/EN/final,WP1782SeeEPICalert6.
10,30June1999.
ThesameconcernwasalreadyraisedduringthecaseofHarrietM.
Judnickv.
s.
DoubleClickattheSuperiorCourtoftheStateofCalifornia.
83www.
doubleclick.
net:8080/privacy_policy/ThismergerisdiscussedindetailinChapter7onelectronictransactionsontheInternet.
84Seethecover-pagestoryofTimemagazinebyCOHEN,Adamon31July2000:Howtoprotectyourprivacy:who'swatchingyouThey'recalledE.
T.
programs.
Theyspyonyouandreportbackby"phoninghome".
Millionsofpeopleareunwittinglydownloadingthem.
85http://www.
narus.
com46traffic(egcopyrightedmaterialrequiringaroyaltyoron-demanduseofanapplication,oraudioclips).
TheNarussoftwarereportstoISPsinrealtimeonthetopwebsitesvisitedaswellasthetypesofcontentviewedanddownloaded86.
Alexa87isatoolthatcanbeaddedtoabrowsertoaccompanytheuserwhilesurfing,byprovidingadditionalinformationaboutthesitevisited(abouttheregisteredsiteowner,ratingsandreviewsofthesite)andmakingsuggestionsonrelatedsites.
Inreturnforprovidingthisservicetousers,Alexahascompliedoneofthelargestdatabasesonpatternsofwebusage.
Amazonpaid250millionUSdollarsinstockforAlexainearly1999.
Initsprivacypolicy,Alexastatesthatitcollectsinformationonwebusagewhichremainsanonymous,byusingtheirwebusagelogsandcookiedata.
AmongstotherproductsproducedbyAlexaisthezBubblesprogram,anon-lineshoppingtoolthatcollectssurfingdataontheuserinordertoofferproductrecommendations,comparativeshoppingadvice,etc.
AccordingtotheinformationpublishedbyTimeMagazine88,zBubblesalsosendsinformationbacktoAlexawhenusersarenotshopping.
Thisproductisdesignedtobeinstalledonthescreenduringthewholedurationofthenavigationsession,eventhoughmostusersarenotshoppingallthetime.
AnotherinterestingexampleofmonitoringsoftwareisRadiate,formerlyknownasAureate.
Radiateisanadvertisingcompanythatworkswiththemakersofshareware.
Itisreported89thatRadiate'sadvertisementscamewithE.
T.
softwarethatembeddedthemselvesin18millionpeople'scomputersandusedtheirInternetconnectiontoreportbackonwhatadvertisementspeoplewereclickingon.
TheoriginalversionofRadiate'ssoftware,whichstillresidesincountlesscomputers,waswrittentokeepphoninghomeevenafterthesharewarethatputittherewasdeleted.
Usersneededaspecialtooltodeletethefile,whichthecompanyprovidedonitswebsitelateron.
PresentlyhundredsofE.
T.
applicationsexist.
Morethan22millionpeoplearebelievedtohavedownloadedthem90.
E.
T.
monitoringsoftwareprogramsareagainanexampleoftechnologiesthatprocesspersonaldataonuserswithouttheirknowledge(invisibleprocessing):mostcomputerusershavenoideathatthesesoftwareprogramshavebeenplacedintheircomputers.
OftenthemakersoftheseE.
T.
applicationssaythat,althoughtheyareabletocollectdataaboutcomputerusers,theydonotconnectthemtoindividuals.
Thisdoesnot,however,offersufficientguaranteestotheusersince,giventhecommercialvalueofindividualiseddata,companiesthatcollectthemcouldchangetheirpoliciesatanytime.
Thepotentialriskofdatamisuseisstillthere91.
IV.
LegalanalysisThepointofdepartureforthelegalanalysisofsurfingandsearchingphenomenaontheInternetisthatbothdataprotectiondirectives(Directive95/46/ECand97/66/EC)applyinprincipletotheInternet92.
86SeePALTRIDGE,Sam,MiningandMappingWebContent,in:Info,TheJournalofpolicy,regulationandstrategyfortelecommunications,informationandmedia,vol.
1,no.
4,August1999,p.
327-34287http://www.
alexa.
com88AsmentionedintheArticlebyCOHEN,A.
inTimeMagazine(opcit).
89AsmentionedintheArticlebyCOHEN,A.
inTimeMagazine(opcit.
).
90AsmentionedintheArticlebyCOHEN,A.
inTimeMagazine(opcit.
).
91AsmentionedintheArticlebyCOHEN,A.
inTimeMagazine(opcit.
).
92SeeWP16,Workingdocument:ProcessingofPersonalDataontheInternet,adoptedbytheWorkingPartyon23February1999,5093/98/EN/final.
47Mainprovisionsofthegeneraldirective95/46/EC:Finalityprinciple,fairprocessingandinformationtothedatasubjectThreeoftheissuesdealtwithinthegeneraldirectivedeservespecialattentioninthischapter:thefinalityprinciple,theprinciplesoffairprocessingandtheinformationtobegiventothedatasubject.
InformationtothedatasubjectOntheInternet,dataflowshappenveryquicklyandthetraditionalrulesconcerninginformationtothedatasubjectabouttheprocessingandthefinalityareoftenignored.
Insomecases,Internetusersarenotfullyawareoftheexistenceorcapacitiesofthesoftwareorhardwarethroughwhichtheprocessingtakesplace(forinstancecookiesorE.
T.
softwareapplications).
TheWorkingPartyhasdealtwiththesecasesinitsrecommendation1/9993.
Inthisrecommendation,theWorkingPartyunderlinedthefactthataconditionforlegitimateprocessingofpersonaldataistherequirementthatthedatasubjectbeinformedandthusmadeawareoftheprocessinginquestion.
InternetsoftwareandhardwareproductsshouldprovideInternetuserswithinformationaboutthedatathattheyintendtocollect,storeortransmit,andthepurposeforwhichthesearerequired.
Internetsoftwareandhardwareproductsshouldalsoenablethedatausertoeasilyaccessanydatacollectedonhim/heratanylaterstage.
ThespeedofdataflowsontheInternetcannotbeusedasanexcusefornotfulfillingtheobligationsofthegeneraldirective.
Infact,theInternetisamediumthatmakesitpossibletoprovidequickandsimpleinformationtothedatasubject.
Wheneverpersonaldataaregoingtobecollected,essentialinformation94shouldbegiventotheindividualinawaywhichshouldensureafaircollectionofpersonaldata,i.
e.
,dependingonthesituation,eitherdirectlyonthescreenorformwherethecollectiontakesplace,orthroughaboxpromptonthescreen(forinstanceincaseofsendingofcookies).
Theoccasionshouldbegiventotheindividualtoclicksomewhereifhe/shedoesnotagreetothisprocessingorif/shewishestohaveadditionalinformation.
Somewebsitespostaprivacypolicyinwhichinformationisgivenaboutthedatatheyprocess,thefinalitiesoftheprocessingandthewayinwhichadatasubjectcanexercisehis/herrights.
Thisishowevernotalwaysthecaseand,evenwhenprivacypoliciesareposted,theydonotalwayscontainallthenecessaryinformation.
Whilebeingverymuchinfavourofpostingaccurateandcompleteprivacypolicies,theWorkingPartystronglyencouragestheprovisionofinformationtothedatasubjectdirectlyonthescreenorusinginformationboxespromptingonthescreenatthepointwhendataarecollectedwithoutrequiringthedatasubjecttotakeanypositiveactiontoaccessthisinformation,asInternetusersdonotalwaysreadtheprivacypoliciesofallthesitestheyvisitwhensurfingfromonetoanother.
Inordertoplayaseriousinformationrole,privacypoliciesshouldnotbetoolong,haveaclearstructureandprovideaccurateinformationaboutthedatapolicyofthesiteinclearandunderstandableterms.
TheworkoftheOECDinthisfield(privacypoliciesgenerator93Recommendation1/99onInvisibleandAutomaticProcessingofPersonalDataontheInternetPerformedbySoftwareandHardware,adoptedbytheWorkingPartyon23February1999,5093/98/EN/final,WP17.
94Theinformationintheboxshouldatleastcontaindetailsonwhocontrolstheprocessing,thefinalitiesoftheprocessingand,whereapplicable,therighttoobjecttotheprocessing.
48orprivacywizard)couldhelpachievethesegoals,althoughusingthegeneratordoesnotinitselfguaranteecompliancewiththeEuropeanDirectives.
Inpractice,privacypoliciesareontheirownunlikelytobesufficientasitisoftenthecasethatthepostedprivacypoliciesdonotcontainsufficientinformationfromadataprotectionpointofview.
ArecentstudycarriedoutintheUSAbyEPIC95oftheprivacypoliciesofthetop100e-commercesitesshowedthatfewhigh-trafficwebsitesofferedappropriateprivacyprotection.
Infact,notasingleoneofthemfulfilledimportantelementsoftheFairInformationPracticesinvestigatedinthesurvey96.
FinalityprincipleTheinformationtobeprovidedtothedatasubjectshouldinallcasescontainampleandclearfactsastothefinalityoftheprocessing.
Article6ofthegeneraldirectiveprohibitsfurtherprocessingofthedataforanon-compatibleuse.
ThisprincipleisespeciallyimportantforwebsitescollectinginformationfromInternetusersabouttheirsurfingbehaviour,forsoftwareprogramsauthorisedbytheusertomonitortheirInternetbehaviourforaspecificpurposebutnotforother(unknown)purposes,andalsoforInternetServiceProviders.
NavigationdataonInternetusersshouldinprincipleonlybecollectedbyInternetServiceProvidersinsofarastheyneedtoprovideaservicetotheuser,inthiscasetovisitthesiteshe/shesowishes.
InternetServiceProviderssometimescitetheneedtokeepthesedatainordertobeabletomonitortheperformanceoftheirsystems.
Itis,however,notnecessarytokeepidentifiabledataforthatpurpose,sinceitispossibletomeasureandmonitortheperformanceofasystemonthebasisofaggregateddata.
ArecentRegistratiekamerreport97concludedthatwhenISPskeeptrafficdataatindividuallevelonusers,theydonotdosointheirroleasaccessprovider.
Thisinformationisespeciallyinterestingforthemfortheiractivitiesascontentproviders.
Itshould,however,bemadeclearthatthisisatotallydifferentpurpose.
Itwouldbeusefulifthepurposelimitationprinciplecouldbeembeddedintechnicalmeans.
ThisshouldalsobeseenasaformofPrivacy-EnhancingTechnology98.
FairprocessingArticle6ofthegeneraldirectivecontainsanumberofprinciplesaimedatguaranteeingthefairprocessingofpersonaldata.
Oneofthemisthefinalityorpurposelimitationprinciple,towhichthepreviousparagraphsreferred.
ThisArticlealsospecifiesthatpersonaldatashouldbekeptinaformwhichpermitsidentificationofdatasubjectsfornolongerthanisnecessaryforthepurposesforwhichthedataarecollected.
Thismeansthatoncedataareanonymisedsothatitisnolongerpossibletolinkthedatatothedatasubject,theycanbeusedforotherpurposes-forinstance,tomeasuretheperformanceoftheserviceofferedbyanISPortocompileasurveyofthenumberofvisitorstoawebsite.
Leadingsearchmachineskeepquerylogsconsistingofarecordofqueriesandotherinformation,includingthetermsused99.
Thetermsusedareofinteresttobusinesses95Survey"SurferBewareIII:PrivacyPoliciesWithoutPrivacyProtection",seeEPICalert7.
01,12January2000.
Availableatwww.
epic.
org/reports/surfer-beware.
html96TheAmericanFairInformationPracticesserveasbasicguidelinesforsafeguardingpersonalinformationintheUSA.
97Klantinhetweb:PrivacywaarborgenvoorInternettoegang(opcit.
)98SeeChapter9below.
49tryingtoselectmeta-tagsforwebpagesandforgaugingon-linedemandforcontentrelatedtoaparticularproduct,companyorbrandname.
IfnolinkexistsbetweenthequerylogandtheidentityoftheInternetuserwhoenteredthekeyword,therearenolegalobstaclestohinderkeepingtheseaggregatedata.
Iftheyarenotanonymised,dataonsearchingandsurfingontheInternetshouldnotbekeptoncetheInternetsessionhasfinished.
Thisaspectwillbeexplainedinmoredetailwhendealingwiththeprovisionsofthespecificprivacyandtelecommunicationsdirectiveontrafficdata.
Whenconsideringthefairnessofthepurposeofdataprocessing,Article7oftheDirectiveshouldalsobetakenintoconsideration.
ThisArticlesetsoutseveralconditionsforfairprocessing,includingtheconsentoftheindividualandthebalancebetweenthelegitimateinterestofthedatacontrollerandthefundamentalrightsoftheindividual.
ThisbalanceofinterestsshouldalwaysbeborneinmindbythedatacontrollerwhencollectingdatafromanInternetuser.
MainprovisionsofthespecificprivacyandtelecommunicationsdirectiveAscanbeseeninthetablepresentedinChapter3,therearesomeprovisionsofthetelecommunicationsdirectivewhichareespeciallyrelevanttosurfingandsearchingontheInternet.
EvenifthetitleofDirective97/66/ECreferstothetelecommunicationssectoringeneral,itisclearthattheterminologyusedinthetextitselfischosenonthebasisofISDNtechnology.
Mostoftheprovisionsofthisdirectiveusetermssuchas"calls",whichalludetotraditionalandISDNtelephonyandmakeitmoredifficulttoapplytoInternetservices.
Nevertheless,itisusuallypossibletoincludeInternetserviceswithinthescopeofapplicationofthedirectivealthough,ascanbeseenfromthefollowingparagraphs,somedifficultieshavetobefaced.
Manyoftheseterminologyproblemsare,however,solvedinthetextoftheproposalforareviseddirectiveof12July2000100.
Inthisproposal,anumberofdefinitionsareupdatedtoensurethatallthedifferenttypesoftransmissionservicesforelectroniccommunicationsarecovered,regardlessofthetechnologyused.
Thereferencestotheterm"calls"arenowlimitedtocasesinwhichthelegislatorspecificallywishestorefertotelephonecalls,asismadeclearbytheinclusionofadefinitionofthiswordinArticle2e)101.
Inallothercases,thenewtextrefersto"communications"or"communicationsservices".
ThefollowingparagraphswillcommentonthemostrelevantprovisionsofDirective97/66/EC.
Whereuseful,thispaperwillrefertothechangesintroducedbythenewproposalforareviseddirective.
Article4:SecurityProvidersoftelecommunicationsservicesshouldofferadequatesecuritymeasureswhichtakeintoaccountthestateoftheart.
Thesemeasuresshouldbeproportionaltotherisksinvolvedinthespecificsituation.
99SeePALTRIGDE,S.
,Searchenginesandcontentdemand,inMiningandMappingWebContent,in:Info,TheJournalofpolicy,regulationandstrategyfortelecommunications,informationandmedia,vol.
1,no.
4,August1999,p.
330-333.
100COM(2000)385.
101"Call"shallmeanaconnectionestablishedbymeansofapubliclyavailabletelephoneserviceallowingtwo-waycommunicationinrealtime.
50Thisprovisionisespeciallyrelevantfortheprovidersofroutersandconnectinglinesasthesefacilitiescarrymassiveamountsofinformation.
Inthenewproposal,thisArticleremainsunchangedexceptforthereplacementoftheterm"telecommunicationsservice"by"electroniccommunicationsservices".
Article5:ConfidentialityNationalregulationsshallensuretheconfidentialityofcommunications.
Theyshallinparticularprohibitlistening,tapping,storageorotherkindsofinterceptionorsurveillanceofcommunications,bypartiesotherthanusers,withouttheconsentoftheusersconcerned.
102ThereareseveralactorsinvolvedinsurfingandsearchingactivitiesontheInternettowhomthisArticleapplies:providersofroutersandconnectinglines,InternetServiceProvidersandtelecommunicationsprovidersgenerally.
Inprinciple,thisArticlereferstothecontentofthecommunication.
Thedistinctionbetweentrafficdataandcontentisnot,however,easytoapplyinthecontextoftheInternet,andcertainlynotwhenreferringtosurfing.
Surfingdatacouldinprincipleberegardedastrafficdata.
However,theWorkingPartythinksthatsurfingthroughdifferentsitesshouldbeseenasaformofcommunicationandassuchshouldbecoveredbythescopeofapplicationofArticle5.
ThesurfingbehaviourofanInternetuser(navigationdata)visitingdifferentwebsitescaninitselfrevealalotaboutthecommunicationtakingplace.
Byknowingthenamesofthewebsitesvisited,onecaninmostcasesgainafairlyaccuratepictureofthecommunicationwhichhastakenplace.
Furthermore,itisthenstraightforwardforanyonearmedwiththetrafficdatatovisitthesiteandseeexactlywhatcontentwasaccessed.
TheWorkingPartythinks,therefore,thatthesurfingdataofanInternetusershouldreceivethesamelevelofprotectionas"content".
Thisformofcommunicationshouldthereforeremainconfidential.
InthissenseclickstreamscanbeconsideredasfallingwithinthescopeofapplicationofthisArticle.
Thenewproposalforareviseddirectivedefines"trafficdata"inArticle2.
1c):"trafficdata"shallmeananydataprocessedinthecourseoforforthepurposeofthetransmissionofacommunicationoveranelectroniccommunicationsnetwork.
Navigationdatawouldthereforefallwithinthisdefinitionandbeconsideredastrafficdata.
TherevisionofthisDirectivehasbroughtmajorimprovementsbyextendingthescopeofArticle5tocovernotjustthecontentofthecommunicationbutalsotherelatedtrafficdata.
Bygivingequalprotectiontocontentandrelatedtrafficdatathe(sometimesdifficult)distinctionbetweentheseconceptsbecomeslessimportant.
TheWorkingPartywelcomesthisimprovement.
Article6:TrafficandbillingdataTrafficdatamustbeerasedormadeanonymousuponterminationofthecall.
InordertointerpretthisArticleinanInternetcontext,itisnecessarytodefinewhatcanbeconsideredastrafficdataandwhatcanbeseenasthecontentofthecommunication.
102SeeinthisrespecttheWorkingPartyrecommendation2/99ontherespectofprivacyinthecontextofinterceptionoftelecommunications,adoptedon3May1999,5005/99/final,WP18.
51ThisArticleseemstobecloselyrelatedtocircuit-switchedtelecommunicationsconnectingtwoormorecommunicatingparties.
Trafficdataarecreatedintheprocessofestablishingandmaintainingthisconnection.
ThismakestheapplicationofthisArticleinanInternetcontextespeciallydifficult.
ThefollowingappliestoInternettraffic:packetsthataretransmittedare'wrapped'inseveral'protocol'headers(forinstance,TCP-header,IP-headerandEthernet-header).
Theseprotocolheadersarereadineveryknot(router)apacketpassesthrough,todecidewherethepacketistobesentnext.
Theredoesnot,however,seemtobeanyneedforeveryinterlyingknottostoreanyheaderinformationafterapackethasbeentransmitted.
Processingofheaderinformation(whichmightalsoincludedataonthecontentofthepackets)shouldbeconsideredastrafficdatainthesenseofArticle6ofDirective97/66/ECandshouldthereforebemadeanonymousorerasedoncethesedataarenolongerneededtomaintainthecommunication;inotherwords,assoonasthewebsiteisaccessedbytheInternetuser.
Thereisnodoubtthatdatasuchasthesessionlogindata(loginandlogouttimes,amountofdatatransferred,timeofstartingandendingthesessionandsoon)shouldbeincludedwithinthescopeofapplicationofArticle6.
ThelistofwebsitesvisitedbyanInternetuser(surfingbehaviour)mustinallcasesbeconsideredastrafficdata(andpossiblybegiventhesameprotectionascontent).
Aboveall,thislistshouldinprinciplebeeraseduponterminationoftheInternetsession.
Itisinterestingtonotethatarecordofauser'sownsurfingactivitiesiskeptinhis/herpersonalcomputer.
Thiscanbeaproblemwhenseveralpeoplesharethesamecomputer.
TheWorkingPartyhasinthepastgivenitsviewsontheissueofISPspreservingtrafficdataforenforcementpurposes103.
Thisrecommendationstatesthattrafficdatawhicharenotnecessaryforbillingshouldnotinprinciplebekept.
InthecaseoffreeISPs,therewouldthenbenoneedtokeeptrafficdataastheydonotneeditforbillinganylongerthantheyneedfortheirnormaloperations.
Thereviseddirectivereplacestheterms"uponterminationofthecall"by"uponcompletionofthetransmission",whichmakesthingsmuchclearer.
SurfingbehaviourshouldthereforebeerasedoncetheInternetconnectionhasended.
Thenewtextintroducesthepossibilityoffurtherprocessingfortheprovisionofvalue-addedservicesorformarketingone'sownelectroniccommunicationsservicesifthesubscriberhasgivenhis/herconsent.
Theterm"valueaddedservice"isnot,however,definedinthecontextofthisproposal;theWorkingPartyfeelsitisnecessarytoclarifywhatthisdefinitionshouldincludeinordertoguaranteethelimitationofthepurposeandlimitnewriskstoprivacy.
Similarly,theWorkingPartyrecommendsthata"necessitytest"beincludedconcerningthepossibilityofprocessingtrafficdatafortheprovider'sownmarketing104.
Article8:CallingandconnectedlineidentificationTherearenocallinglinesontheInternettobeidentifiedornot.
Thereisnoseparateroutingchannelbywhichtheidentityofthecallingpartycanbeindicatedbeforetheconnectionhasbeenestablished.
103Recommendation3/99onthepreservationoftrafficdatabyInternetServiceProvidersforlawenforcementpurposes,adoptedon7September1999,5085/99/EN/finalWP25104Seeopinion7/2000oftheWorkingParty,adoptedon2November2000,WP36.
52OntheInternet,theIP-addresscannotbeseparatedfromthecommunication(thepackets),sotheconceptofCLIisnotdirectlyapplicable.
Technicallyspeaking,itisnotpossibletoprovideInternet-relatedtelecommunicationsserviceswithouttransmittingandusingtheIPaddressusedbytheInternetuserduringasession.
ItcanthereforebeconcludedthatArticle8ofthetelecomsdirectivecannotbeappliedtoIPaddressesinthesamewayasitisappliedtotelephonenumbers.
Theproposalforareviseddirectiveof12July2000followsthislineofthinking.
ThewordingofthisArticleremainspracticallyunchangedandrefersto"calls",aconceptthatisreservedfortelephoneservicesinthenewtext.
V.
Privacy-enhancingmeasuresPrivacyprotectionwhenwebsurfingcanbemadeeffectiveinseveralways.
Herearesomeoptionsforimprovingtheprivacyprotectionoftheuser105.
Firstly,manypersonaldataretrievalmethodsarebasedontheuseofcookies.
ThebrowsersoftwareusedbytheInternetusermakesitpossibletorefusethepostingofcookiesonhis/herharddisk,onacase-by-casebasisorsystematically.
Itshouldbenoted,however,thatmoreandmorewebsitesareonlyofferingafullserviceifthecookiefunctionisenabled.
On20July2000,MicrosoftannouncedthatitwasintroducingabetasecuritypatchforthenextversionofInternetExplorertoallowforbettermanagementofwebcookies106.
ThetestversionofthepatchshouldbeavailabletothepublicbytheendofAugust.
Accordingtopreliminaryinformation,thepatchwillofferseveralfeaturestoallowuserstocontrolcookiesmoreeffectively.
Thebrowserwillbeabletodifferentiatebetweenfirst-partyandthird-partycookiesandthedefaultsettingwillwarntheuserwhenapersistentthird-partycookieisbeingposted.
Persistentthird-partycookiesareheavilyusedbyInternetadvertisers,suchasDoubleClickorEngage,totrackcomputerusers'activities.
Inaddition,thenewfunctionalitywillallowInternetuserstodeleteallcookieswithasingleclickandwillmakeinformationaboutsecurityandprivacymoreeasilyaccessible.
Thesecuritypatchdoesnot,however,increaseconsumercontrolovertheuseoffirst-partycookiesprevalentoncommercialwebsites.
ThecookiemanagementfeaturesfollowontheheelsofotherrecentsecuritypatchesissuedbyMicrosofttocorrectdataleakissues.
InMay2000,thecompanyreleasedapatchforthepopularOutlookprogramthatwouldturnoffcookiesine-mailmessages.
Itishoweverregrettablethatthistechnologystilldoesnotenablethesiteoriginatingthecookietoindicateimmediatelythefinalityforwhichthecookiewillbeused.
Secondly,theISPmaypositivelycontributetotheInternetuser'sprivacybylimitingthepersonaldatastoredtotheminimumrequiredtoestablishcommunicationandmaintaintechnicalperformance.
Inparticular,inmanycasesitispossiblefortheISPtohidetheIP-numberofanInternetuserfromawebsitebyreferringtothatsitefromaspecialproxyserver.
InthatcaseonlythemasqueradedIPnumberallocatedbytheproxyserveristransmitted,whiletheaddressoftheInternetuseriskeptwiththeISP.
Suchservicesare,however,rarelyofferedasastandardservice.
Thirdly,itispossibleforsomeportalsitestoactastrustedpartieswhichguardtheuser'spersonaldata.
Such'infomediaries'mayactasvigilanteswhoonlysupply105SeeChapter9onprivacy-enhancingmeasuresformoredetails.
106EPICAlert7.
14,July27,2000.
53personaldatatowebsitesthatrespecttheInternetuser'sprivacy,ortheymay'barter'thepersonaldatasubmittedforcertainbenefitswiththefullinformationandconsentoftheInternetuser107.
Thislastoptionshouldhoweverbeviewedwithcaution.
ThemostrigorousmethodisfortheInternetusertochooseservicesthatintentionallyhidehis/herIP-addressfromthewebsitesvisited.
Some'anonymiser'websitesandcorrespondingdedicatedsoftwareproductsareavailabletohidetheInternetuser'sIP-addressbyredirectingthecommunicationacrossdedicatedserversthatsubstitutetheIP-addresswithanother.
TheexistenceofnewsoftwaremonitoringE.
T.
programsobviouslyraisesnewquestionsaboutpossiblewaysofprotectingagainsttheseprograms.
Onepossible–butnoteasilyworkable–protectionmethod108wouldbetophysicallysegmentcomputerharddrivesintopublicandprivateareas,sothatdownloadsdonothaveaccesstoinformationwhichpeoplewanttokeepconfidential.
Inanycase,extremecareisrecommendedwhendownloadingapplicationsfromtheInternetorfrome-mail.
VI.
ConclusionsItisnecessarytoprovideanonymousaccesstoInternettouserssurfingorsearchingintheNet.
Therefore,theuseofproxyserversishiglyrecommended.
TheincreasinguseofmonitoringsoftwareisatrendthatshouldbeconsideredandgiventhenecessaryattentionasitcanhaveseriousconsequencesfortheprivacyoftheInternetusers.
SomeoftheconceptsanddefinitionsusedinthepresentwordingofthetelecomsdirectivearenoteasytoapplyinthecontextofInternet-relatedservices.
-ThetraditionalseparationbetweencontentandtrafficdatacannotbeeasilyappliedtoInternetactivities,particularlynotinthecontextofsurfing.
Ononehand,theconceptoftrafficdatashouldbebroadlyinterpretedtoincludeheaderdataaswellasalllogindata.
Ontheotherhand,surfingbehaviourdatashouldbegiventhesamelevelofprotectionascontentdata.
-TheprovisionsonCLIwouldalsoneedtobereviewedinthecontextoftheInternet.
TherevisionofthisdirectivehasledtoabigimprovementonthefirstofthesepointsbyextendingthescopeofArticle5toincludenotjustthecontentofthecommunicationbutalsotherelatedtrafficdata,thusgivingequalprotectiontoboth.
TheWorkingPartywelcomesthisimprovement.
ThesecondproblemhasalsobeensolvedbymakingitclearthatthisprovisiononlyappliestotelephonecallsandnottotheInternet.
Therevisionofthedirectivehasgreatlyincreaseditsclaritybyadaptingtheterminologytothepresentbroadercontext,thusfacilitatinginterpretationoftheexistingprovisions.
TheWorkingPartywouldhoweverliketopointoutthattheconceptof"valueaddedservices"needsfurtherspecificationinordertoexcludetoobroadaninterpretation.
107Seethebook"NetWorth"(opcit.
)formoredetails.
108AssuggestedbyCheswick,chiefscientistatLucenttechnologies,intheArticlebyCOHEN,A.
inTimeMagazine(opcit.
).
54CHAPTER6:PUBLICATIONSANDFORAI.
IntroductionPublicationsandforaavailableontheInternetshareacommonfeatureinthattheymakepersonaldatapubliclyavailable,with(e.
g.
publicdiscussionfora)orwithout(e.
g.
directories)theparticipationofthepersonconcerned.
Thereasonsforpublishingpersonaldatavarydependingonthecontext.
TheInternetusercandisclosesomeinformationbecausehe/sheisaskedtodosoinordertoaccessachatroom,forexample,ortheinformationcanbepublishedbyathirdparty,suchasapublicadministration,foradministrativereasons.
ThefundamentalquestionraisedbythisdisclosureofinformationistheapplicationofprivacyprinciplestodatapubliclyavailableontheWeb.
Contrarytoawidespreadopinion,theprotectionofthedataprotectionlegislationstillappliestodatamadepublic.
Thischapterwillpayparticularattentiontothereasonsandthenecessityforeachpublicationofpersonaldata,tothepurposeofthepublicationandtotherisksofmisuseofthosedata.
II.
TechnicaldescriptionPublicdiscussionforaThetechnicalaspectsofdataprocessingonpublicdiscussionforavarydependingonthenatureoftheforum.
Twomainkindsofforacanbedistinguished:newsgroupsandChats.
NewsgroupsNewsgroupsareforaclassifiedbysubject,wherealldatasentbyusersarestoredforafixedperiodoftime,inordertoallowcontributionsoranswersofusersonaspecificsubject.
AquestionorArticleincludesa"title"anda"body".
ThelinkbetweenanArticleandtheanswertothatArticleisa"thread".
Messagesaretransferredtonewsgroupserversusingspecificprotocols.
TheusualprocessingprotocolfornewsisNNTP(NewsNetworkTransferProtocol),althoughsomenewsgroupsalsousetheHTTPprotocol.
NNTPprocessespermanentconnectionsbetweennewsgroupsservers,andupdatesmessagesautomatically.
Messagesarekeptbyanewsgroupserveronaharddrive,whichcanbeconsultedbyanypersonconnected.
NewsispresentedinHTMLformat.
EachservercomparesitslistofArticlesineverydiscussiongroupwiththeothers,andexchangenewArticleswiththem.
SuchcomparisonsresultinmillionsofexchangesofdataontheInternet.
Giventhenumberofgroups,usersonlystoreaselectedlistofgroups,andtheconsultationsoftwareonlypresentsthetitlesofnewsitems,leavingdownloadingofthebodyoftheArticlestotheinitiativeofinterestedusers.
ChatsTherearethreemainkindsofInternetchat:InternetRelayChat(IRC),Webpage(Java)Chat,andICQ(Iseekyou)Chat1.
IRCistheoriginalchatmediumontheInternet.
Itusesaprotocolallowinguserstocommunicateinrealtimepubliclyinaforumwithanundefinednumberofpeople,or55privatelywithonlyonecorrespondent.
Chatroomsdependonthesubjectsdiscussed,likenewsgroups,butdifferinthatthechannelsarecancelledattheendofadiscussion.
DuetodelaysinthetransmissionofinformationonthemainIRC,independentnetworkshavebeencreated.
ThemainnetworksareEfNet,UnderNetandDalNet.
2.
WebpageChatmakesitpossibletochatwithoutaseparateprogram:theonlytoolrequiredisarecentInternetwebbrowser.
Therearetwokindsofwebpagechat:thededicatedwebpagechat,availableonmostofthewebportalsearchsites,andwebpagechatsetupbyanindividualonhis/herownhomepage.
Whilewebpagechatissimpletouse,italsohaslimitedcapabilities:itisonlypossibletoexchangetext,anditisnotpossibleeithertochangecoloursorsendsounds,ortosendorreceivefiles,torunscriptsorcustomiseanythingaboutthechatinterface,unlikeIRC.
3.
ICQisatoolwhichinformstheuserwhoison-lineatanytime.
Itinformstheuserwhenpre-definedpersons(onapersonalcontactlist)logon,andallowshim/hertocontactthem,chatandsendmessagestothemwhilestillsurfingtheNet–providedallparticipantsareusingICQ.
Theprogramcanbetoldtosettheuserasinvisible,awayornotavailable.
PublicationsanddirectoriesPublicationsanddirectoriesareusuallyavailableontheInternetintheformofadatabase,offeringsearchcriteriainordertoobtaininformationononeorseveralindividuals.
Thesourceofinformationfortelephonedirectoriesistraditionallytheofficialnationaldirectoryedited,dependingonthecountry,bythemaintelecomsoperatororanadhoccompanyresponsibleforitscompilation,onthebasisofthelistoftelephonesubscribers.
E-maildirectoriesarecompiledusingvariousmeans,fromthevoluntaryinscriptionofInternetusersonalistpresentedbyanISP,touncontrolledcollectionofe-mailsonwebsitessuchasnewsgroups.
Otherformsofpublications,suchaslistsprovidedbypublicbodies,aredrawnupdependingonthesubject.
Theycaninclude,forexample,thecase-lawofacountry,withthedatesofjudgements,courts,location,perhapseventhenamesoftheparties,thejudge,andasummaryofthecase.
MostInternetdatabasesofferseveralsearchcriteria,allowingpersonalisedaccesstotheinformationandresultsstructuredindifferentways.
Inatelephonedirectory,asearchcouldbestartedfromanameortelephonenumber,inacase-lawdatabasethecriteriacouldbethedateofajudgement,thenameofaparty,etc.
III.
PrivacyrisksPublicdiscussionforaThemainriskintermsofprivacy109resultsfromtheaccessibilityofthepersonaldatadisclosedbytheInternetuser.
Theaccessibilityofdatacanleadtofurthercollectionandutilisationforpurposeswhicharenotalwaysclearlyforeseenbythepersonparticipatinginthepublicforum.
Noristhepersonalwaysawareofthedetailsusuallypublishedtogetherwiththecontentofthecontributionmadeontheforum.
109TheSpanishDataProtectionAuthority(AgenciadeProtecciondeDatos)hasaddressedthisissueinitsdocument"RecomendacionesalosusuariosdeInternet"(RecommendationstoInternetusers),availableinSpanishandEnglishonitswebsite:www.
agenciaprotecciondatos.
org56Inthecaseofnewsgroups,forexample,thee-mailaddressofthecontributorisusuallypublishedtogetherwiththenameorpseudonymofthepersonpostingthemessage110.
SomechatforadisplaytheIPaddressofaparticipant'scomputer,aswellashis/herpseudonym.
SomeInternetServiceProvidersallowforthepossibilityofattendingaforumwithoutbeingidentifiedbytheotherparticipantsbutalso,ontheotherhand,thepossibilityofattendingbutallowingotherparticipantstoreadaspecificprofiledrawnupbythepersonconcerned.
Thepersonalinformationavailableon-linevariesfromoneforumtotheother.
Ageneralruleisthatinordertoaccessachatroom,adetailedidentificationlistiscompletedattherequestoftheInternetServiceProvider,whichusuallyincludesthee-mailaddress,birthdate,country,sexandsometimescertainpreferenciesoftheperson.
Fromatechnicalpointofview,theprovisionofsuchdetailedinformationisnot,however,necessaryforthesmoothoperationofthenewsgrouporchatservice,inthesenseofArticle6ofDirective95/46/EC.
Thisregistrationinformationcould,moreover,leadtofurtherutilisationofthedatabytheISP,andcouldbecombinedwithadditionaldetailsonthepersoncollectedon-lineinchatrooms.
Twoofthemainpurposesforusingthedatacollectedand/orpublishedare:1.
tocontrolthenatureofthecontentbroadcast.
Thisisdonetoensurethatinappropriatecontentisnotmadeavailableand/ortoestablishliabilityifanyofthecontentprovestobeillegal111.
Forthatpurpose,andinordertokeepthecontentidentifiable,datatracesareoftenkeptwhenevermaterialiscontributed,withoutpre-selection,eventhoughonlythee-mailaddressandpossiblythenameofthecontributorwouldbesufficient.
2.
thecompilationoflistsofpersonaldata.
PersonaldatacanbecollectedontheWebbymeansofsoftwarewhichcansearchthenetworkanddrawtogetheralltheavailabledataaboutanamedperson.
TheWorkingPartyquotedinitsrecommendation3/97112fromanewspaperArticleexplaininghowonecouldcompileadetailedbiographyofarandomlyselectedindividualusingsuchsoftwareandexploitinginformationfromallthediscussiongroupsinwhichthepersonparticipated,including,forexample,his/heraddress,telephonenumber,placeofbirth,workplace,favouriteholidaydestinationandotherpersonalinterests.
Thesedatacanbecollectedandfurtherprocessedfordifferentpurposes,suchasdirectmarketing,butalsocreditrating,orsellingthedatatoinsurancecompaniesoremployers.
SomeInternetsitesalreadyofferpubliclyavailablesearchtoolswhichmakeitpossibletofindallthemessagescontributedinnewsgroupsbyonepersononthebasisofhis/hernameore-mailaddress113.
110Thee-mailaddressoftenincludesthenameoftheInternetuserinitsfirstpart,especiallywhentheaddressisautomaticallydefinedbyanIAPusingtheregisterednameoftheuser.
Mostofthetimehowever,theusercanchangethecontentofthatpartoftheaddressand,forexample,useapseudonym.
Itisalsopossibletoaskforasecondaddress,forwhichtheIAPwillallowtheusertochoosethename.
111Perhapstoavoidthatliabilityfallingontheserviceproviderresponsibleforthefora.
112Recommendation3/97onanonymityontheInternet,adoptedbytheWorkingPartyon3December1997.
113See,forexample,theInternetsiteofDeja:"http://www.
deja.
com/home_ps.
shtml",whichprovidesa"powersearchtool"offeringseveralsearchcriteriaincludingtheauthorofnewsgroupmessages.
Thesitementionsthatithasthemostextensivedatabaseofnewsgroupcontributionsontheweb.
57PublicationsanddirectoriesTheon-lineavailabilityofpersonalinformationtakenfrompublicregistersorotherpubliclyavailablesourcessuchasdirectories,raisessimilarquestionstothosementionedabove.
Theyrelatetothefurtherpossibleuseofpersonaldataonaworldwidelevelforapurposedifferentfromtheoneforwhichtheywerefirstmadepubliclyavailable114.
Ashasalreadybeenstressed,thecomputerisationofdataandthepossibilityofcarryingoutfull-textsearchescreatesanunlimitednumberofwaysofrequestingandsortinginformation,withInternetdisseminationincreasingtheriskofcollectionforimproperpurposes.
Furthermore,computerisationhasmadeitmucheasiertocombinepubliclyavailabledatafromdifferentsources,sothataprofileofthestatusorbehaviourofindividualscanbeobtained.
Inaddition,particularattentionshouldbepaidtothefactthatmakingpersonaldatapubliclyavailableservestofuelthenewtechniquesofdatawarehousinganddatamining115.
Usingthesetechniques,datacanbecollectedwithoutanyadvancespecificationofthepurpose,anditisonlyatthepointofactualusagethatthevariouspurposesaredefined116.
Severalspecificcasescanbementionedtoillustratethisareaofconcern:-Whilstcase-lawdatabasesarepubliclegaldocumentationinstruments,theirpublicationinelectronicformontheInternet,providingwidesearchcriteriaoncourtcases,couldleadtothecreationofinformationfilesonindividuals.
Thiswouldbethecaseifthedatabaseswereconsultedinordertoobtainalistofcourtjudgementsonaspecificindividualratherthantofindoutaboutcaselaw.
-Specificinformationonanindividualcanalsobeobtainedbycombiningthedataincludedinseparateelectronicdatabases.
Namesofpeoplenotentitledtovotecouldbeobtainedinthiswaybycombiningthepopulationregisterswiththeelectoralrolls.
-AddressdirectoriesontheInternetusuallyprovidesearchcriteriaonindividualsnotjustbyname,butalsobyaddressandbytelephonenumber.
Individualsdonotforeseesuchreversesearcheswhentheyconsenttothepublicationoftheiraddressinthe"paper"telephonedirectory.
Theavailabilityofdatainelectronicformmeansitcouldbeusedfordifferentpurposes:e.
g.
,directmarketing,byselectingcategoriesofpersonslivinginthesamearea(perhapstosellalarmsystemsinresidentialareas),ortheidentificationandfilingofapersonwhotelephonesafirmforasimple-andtohismind-anonymousrequestforinformation.
PublicationsontheInternetcanleadtootherformsofcollectingpersonalinformation,targettingnotjustpersonalinformationincludedinachat,apublicregisteroradirectory,butalsodirectinformationprovidedinapersonalwebpage.
Automaticindexingofthosepagesbysearchrobotscanleadtothecompilationoffileswhichincludepersonalinformationfromthosepages,andthepossiblemarketingandspammingoftheauthorofthesepagesorofpersonscontributingtothem.
114SeeonthissubjectthecontributionofMr.
MarcelPINET,memberoftheCNIL,attheInternationalConferenceofDataProtectionCommissionersorganisedinSantiagodeCompostela,Spain,inSeptember1998,availableatwww.
cnil.
fr,onderInternet-Initiatives.
115Datamininganddatawarehousinginvolve"diggingthroughtonsofdata"touncoverpatternsandrelationshipscontainedwithin,forexample,thebusinessactivityandhistoryofanorganisation;datawarehousingissupposedtoprovidesupportfordecision-making.
Processingthevastamountofinformationisdonewiththeaidofsoftwareallowingeasyconnectionbetweenrelatedinformationinthedatabase.
SeetheRegistratiekamerreport(BORKING,J.
,ARTZ,M.
andVANALMELO,L.
),Goudenbergenvangegevens:overdatawarehousing,dataminingenprivacy,Achtergrondstudiesenverkenningen10,September1998,availableatwww.
registratiekamer.
nl116Opinionn°3/99onpublicsectorinformationandtheprotectionofpersonaldata,adoptedbytheWorkingPartyon3May1999.
58IV.
LegalanalysisPublicforaThereareplanstoimposeobligationsuponInternetServiceProvidersinordertolimittherisksofunlawfulcollectionofpersonaldatareleasedinchatroomsornewsgroups.
TheCouncilofEuropeRecommendationNoR(99)5fortheProtectionofPrivacyontheInternet117offersasaguidelinetoInternetServiceProvidersthattheyshouldinformusersoftheprivacyriskspresentintheuseofInternetbeforetheysubscribeorstartusingtheservices.
Suchrisksmaycoverdataintegrity,confidentiality,thesecurityofthenetworkorotherriskstoprivacy,suchasthehiddencollectionorrecordingofdata.
TheregistrationformtobecompletedbyindividualsrequestingaccesstoapublicforummustcomplywiththeprovisionsofArticle6ofDirective95/46/EConthefairprocessingofpersonaldata,whichstatesthatpersonaldatamustbecollectedforalegitimatepurpose,andthatnounnecesaryorirrelevantdatamaybecollectedforthatpurpose.
ThelegitimatenatureofthepurposecanbedeterminedwithreferencetoArticle7ofDirective95/46/EC,whichprovides,inparticular,fortheexplicitconsentoftheindividualtotheprocessingofhis/herpersonaldata,andforthebalancebetweenthelegitimateinterestofthedatacontrollerandthefundamentalrightsoftheindividual(Article7a.
andf.
)Usersmustbeinformedinaclearandvisiblewayaboutthatpurpose,thequalityofthedatacollectedandthepossiblestorageperiodforthedata.
Iftheuserisgivennoclearindicationoftheconditionsforprocessingthedata,theabsenceofareactionmaynotberegardedasimplicitagreementtofurtherprocessingofthosedatabythedatacontroller(e.
g.
formarketingpurposes).
Itmustbeemphasisedthatserviceprovidersdonotnecessarilyneedtoknowthepreciseidentityoftheuseratalltimes.
BeforeacceptingsubscriptionsandconnectinguserstotheInternet,theyshouldinformthemaboutthepossibilityofaccessingtheInternetanonymouslyormakinguseofapseudonymandusingitsservicesanonymously118.
ThisprinciplehasbeenrecognisedbytheWorkingPartyinitsrecommendation3/97onanonymityontheInternet119.
Whilethereisnopossibledoubtaboutthelegitimacyofanonymityinsituationssuchasthesharingofpersonalexperiences(victimsofsexualoffencesorpersonssufferingfromalcoholdependency)orpoliticalopinions,theWorkingPartyhasstressedthattheneedforanonymityontheInternetgoesmuchfurtherthanthesespecificcases,becauseidentifiabletransactionaldatabyitsveryexistencecreatesameansthroughwhichindividualbehaviourcanbesurveyedandmonitoredtoadegreethathasneverbeenpossiblebefore.
ThecontrolofnewsgroupsandchatsinordertobaninappropriatecontentshouldbeexertedinaccordancewiththeprincipleofproportionalitylaiddowninArticle6ofDirective95/46/ECwheretheidentificationandcollectionofallpersonaldatacontributedinapublicforumisconsideredasdisproportionatecomparedwithotherexistingmeansofcontrol.
Otherpossibilitieshavebeenproposed,suchascontract117RecommendationoftheCommitteeofMinisterstoMemberStatesadoptedon23rdFebruary1999.
Availableatwww.
coe.
int/dataprotection/118S.
LOUVEAUX,A.
SALAN,Y.
POULLET,Userprotectioninthecyberspace:somerecommendations,CRID,p.
12,availableathttp://www.
droit.
fundp.
ac.
be/crid/.
119RecommendationadoptedbytheWorkingPartyon3December1997.
59solutionsprovidingfor"contentquality",ortheinvolvementofamoderatorwhoserolewouldbetomonitorcontributionsforillegalandharmfulcontent.
Inadditiontothesefundamentalprinciples,itshouldbeaddedthatthepreservationoftrafficdatabyInternetServiceProvidersisverystrictlyregulated,asitisfortelecommunicationsoperators.
Asageneralrule,trafficdatamustbeerasedormadeanonymousassoonasthecommunicationends(Article6paragraph1ofDirective97/66/EC).
TelecommunicationsoperatorsandInternetServiceProvidersarenotallowedtocollectandstoredataforlawenforcementpurposesonly,unlessrequiredtodosobyalawbasedonspecificreasonsandconditions120.
PublicationsanddirectoriesTheWorkingpartyhasreiterated121thatEuropeandataprotectionlegislationappliestopersonaldatamadepubliclyavailable,andthatthosedatastillneedtobeprotected.
Theessentialprincipleapplicabletopublicpersonaldataistheprincipleoffinalityorpurposelimitation,accordingtowhichpersonaldataarecollectedforspecific,explicitandlegitimatepurposesandmustnotbesubsequentlyprocessedinamannerwhichisincompatiblewiththesepurposes(Article6.
1b)ofDirective95/46/EC)TheWorkingPartyhasalsounderlinedthatpersonaldatamadepubliclyavailabledonotconstituteahomogeneouscategorywhichcanbedealtwithuniformlyfromadataprotectionpointofview:whiletheremaybepublicaccesstodata,suchaccessmaybesubjecttocertainconditions(suchasproofoflegitimateinterest),andtorestrictionsastofurtherutilisation(suchasutilisationformarketingpurposes).
ThepublicationofpersonaldataontheInternetmightleadtofurtherprocessingofthedatawhichthedatasubjectmightnotexpect.
Articles10,11and14ofDirective95/46/ECstipulateinthisrespectthatthedatasubjecthastherighttobeinformedabouttheusageofhis/herpersonaldata.
Thedatasubjectshallalsobeinformedabouthis/herrighttoobjecttotheprocessingofpersonaldataformarketingpurposes,bysimpleandeffectivemeans.
Theideaofa"one-stopshop"toobjecttotheprocessingofpersonaldataonasinglelistmightofferaninterestingsolutiontothedifficultiesencopunteredbyindividualsinobjectingtoeachdataprocessingoperation,giventheirproliferationatnationalandinternationallevel122.
Iftheintendedpurposeoftheprocessingisincompatiblewiththeoriginalpurpose,thebalancebetweentherighttoprivacyandtheinterestsofthedatacontrollershallbestruckbytheimpositionofstricterconditionsuponthedatacontroller.
Thelattershallobtaintheconsentofthedatasubjectorbeabletoinvokealegalorstatutorybasisfortheprocessing.
Itis,however,notalwaysclearwhetherthedatacontrollerisobligedtorespectthedatasubject'srighttoobject,orobtainhis/herconsentinordertobeabletoprocessdata.
TheregulationofInternetdirectoriesindifferentcountriesisanexampleofsuchdifferentapproaches.
Thequestioniswhetherconsentisrequiredbeforeadirectoryis120Recommendationn°3/99onthepreservationoftrafficdatabyInternetServiceProvidersforlawenforcementpurposes,adoptedbytheWorkingPartyon7September1999.
121Opinionn°3/99:seeabove.
122ThiscouldbeparticularlyusefulregardingthedisseminationofdirectoriesontheInternet.
Complaintshandledbydataprotectionauthoritiesoftenrelatetothepublicationofdatafromaspecificcountrywhenthepersonconcernedhasbeenregisteredinanoppositionlist,butonlyinhis/herowncountry.
60madeavailableinelectronicformadirectorywhenitpresentsdifferentsearchcriteriafromthoseoriginallyforeseeninapaperdirectory.
Somecountries(suchasSpainandBelgium)considerthatextendedsearchcriterialeadtothepossibilityofprocessingpersonaldataforpurposeswhicharenotcompatiblewiththeoriginalpurpose,andthatnosuchprocessingshouldthereforebeallowedwithoutthepriorinformationandexplicitconsentofthedatasubject.
Inothercountries(e.
g.
United-Kingdom)compliancewiththerighttoobjectforeseenintheDirectiveappearstobeconsideredinprinciplesufficient,althoughitwilldependonthefactofwhetherornotthereisalegaldutytopublishtheinformationinthedirectory.
TheseinterpretationsofthelegaltextsleadtodifferencesinthelevelofprotectioninEUcountriesandtopracticalconflictswhen,forexample,adirectoryincludingpersonaldataoncitizensofacountrywithahigherprotectionisputontheInternetfromacountrywithalessprotectivepolicy.
SuchconflictshavebeendiscussedatEuropeanlevelandacommoninterpretationofthetextsbytheWorkingpartyhasleadtoanofficialpositionwhichrecommendstheharmonisedapplicationoftheprinciplebyEUMemberStates123.
Article12oftheproposalforarevisionofDirective97/66/EC124laysdownthattheindividualhastherighttodecidewithoutcostwhetherandwhichoftheirdataaretobeincludedinpublicdirectories,forwhichspecifiedpurposeandtowhatextent.
Thisconstitutesapositivestepintherightdirection,andhasbeengivenfullsupportbytheWorkingParty.
V.
PrivacyenhancingmeasuresInadditiontothelegalprovisionsmentionedabove,therearetechnicalsolutionswhichcanimprovetheprotectionofpersonaldataatdifferentlevels.
Asageneralprinciple,theWorkingpartypointsoutthatbrowsersoftwareshouldbeconfiguredbydefaultinsuchawaythatonlytheminimumamountofinformationnecessaryforestablishinganInternetconnectionisprocessed125.
AnonymityonpublicforaWithregardtoanonymityontheInternetandonpublicforainparticular,thenotionof"pseudo-identity"couldofferanalternativesolutiontothequestionofthebalancebetweenlegitimatecontrolofabusesandtheprotectionofpersonaldata.
Suchanidentitywouldbeattributedtoanindividualthroughaspecialistserviceprovider.
Theanonymitywouldthenberespectedinprinciple,butalinkcouldbereconstructedwiththerealidentityoftheindividualbythespecialistserviceproviderinspecificcases,e.
g.
suspicionofcriminalactivity.
Asfore-mail,anonymousremailerseithergivetheuserananonymousaddress,towhichotherpeoplecansendtheirmail,whichisthenforwardedtotherealaddressoftheuser(sometimesreferredtoasapseudonymousserver),ortheypostormailthesender'smessagewithoutanytraceofhis/hernameoraddress126.
123Opinion5/2000ontheuseofpublicdirectoriesforreverseormulti-criteriasearchingservices(reversedirectories),WP33,adoptedon13thJuly2000.
124Initspublicversionof12July2000,COM(2000)385.
125Recommendationn°1/99oftheWorkingpartyoninvisibleandautomaticprocessingofpersonaldataontheInternetperformedbysoftwareandhardware,adoptedon23February1999.
126TheseremailersarecalledCypherpunk(forthefirstgeneration)orMixmaster(forthesecondgeneration,usingmoreadvancedtechniques)remailers.
Well-knownanonymousserversonthewebwere"anon.
penet.
fi"or"alpha.
c2.
org".
Itappearshoweverthatbothhaveclosed.
Anewoneis"Nym.
alias.
net".
AnonymousmessagescanalsobesentthroughanHTMLdocument.
Inthiscase,themessageandthefinalrecipientaresentunencryptedtotheWWWserverused.
61SystematicindexationofdataToolsalsoexisttoensurethatauthorsofpersonalpagesarenotsubjecttosystematicindexationoftheirpagesandthecollectionoftheirpersonaldatawithoutthembeingawareofit.
TheaimoftheRobotexclusionprotocolistopreventallorsomeofthepagesofawebsitebeingautomaticallyindexedbyasearchengine127.
ThisprotocolisidentifiedbymostsearchenginesontheWeb.
Thefile"robots.
txt"insertedintheInternetaddresscontainsinstructionsaimedatsearchrobotsstatingthatsomerobotsarenotwelcomeorthatonlysomeidentifiedpagesonthesitemaybereadandindexed.
Asonlyaserviceproviderisabletoinsertaso-called"Robotexclusionprotocol"inthesiteaddress,authorsofpersonalwebpageshostedbyaserviceprovidercan,iftheycannotgettheserviceprovidertoagreetoinsertsuchaprotocol,includeaRobotsMeta-tagoneverypagetheydonotwishtobeindexed.
ThedisadvantageofsuchMeta-tagrobotsisthattheyarenotyetrecognisedbyallsearchenginesontheInternet.
On-lineaccesstopublicinformationThelastsubjectdealtwithinthischapterconcernson-lineaccesstopublicinformationwhichisneverthelessstillsubjecttoprivacyprotectionrules.
Technicalsolutionsappliedtosuchdatabasescanhelplimitillegaluseoftheinformationtheycontain:-Searchcriteriamustbedefinedinsuchawaythatdatacanonlybeusedinaccordancewiththeoriginalpurpose.
TheWorkingPartyinsistedinitsRecommendationof13July2000onreversedirectoriesthat"thedatacontroller(…)hastoimplementtechnicalandorganisationalmeasureswhichareappropriatetotherisksrepresentedbytheprocessingandthenatureofthedataprotected(seeArticle17Directive95/46/EC).
Thismeansforexamplethatthedatabaseshouldbedesignedinawaythatpreventspossiblefraudulentuses,suchastheunlawfulmodificationofsearchcriteriaorthepossibilityofcopyingoraccessingthewholedatabaseforfurtherprocessing.
Searchcriteriamust,forexample,besufficientlyprecisetoonlyallowforthepresentationofalimitednumberofresultsperpage.
Theresultshouldbethatthepurposetowhichthesubscriberhasconsented,isalsoguaranteedbytechnicalmeans.
"128-Theon-lineconsultationofdatabasescanberestrictedby,forexample,limitingthefieldofthequeryorthequerycriteria.
Itshouldbeimpossibletocollectalargevolumeofdatausingawidequerysuchasthefirstlettersofaname.
Itcouldalsobemadetechnicallyimpossibletorequestcourtjudgements,forexample,basedonthenameofanindividual,ortorequestthenameofapersonbasedonhis/hertelephonenumber.
Forthispurpose,technicaltoolsshouldbeconfiguredandusedaccordingtothelegalprinciplesdescribedinthischapter.
127Opinionn°3/99,seeabove.
128TheInternationalWorkingGrouponDataProtectioninTelecommunicationshadadoptedasimilarrecommendationonreversedirectoriesatitsmeetinginHongKongonthe15thofApril1998:ifthereversedirectoriesarenotforbiddenbylaw,theyareserviceswhichrequiretheexpressconsentgivenvoluntarily.
Atleasttherighttoobjectandtherightofaccessgenerallyrecognizedbyexistingnationalandinternationalrulesontheprotectionofpersonaldatashallbeguaranteed;Itisinanycasenecessarytoendowthepersonswiththerighttobeinformedbytheirprovideroftelephoneore-mailservice,atthetimeofthecollectionofdataconcerningthem,oriftheyhavealreadysubscribed,byaspecificmeansofinformation,oftheexistenceofservicesofreversesearchand-ifexpressconsentisnotrequired-oftheirrighttoobject,freeofcharge,tosuchasearch.
Thewholetextofthisrecommendationisavailable:http://www.
datenschutz-berlin.
de/doc/int/iwgdpt/pr_en.
htm62VI.
ConclusionsIntheory,thelegalprovisionsandtechnicalmeansavailableoffervaluableprotectiontothedatasubjectasregardsthepublicavailabilityofsomeofhis/herpersonaldataontheInternet.
"Theprincipleoffinality,accordingtowhichpersonaldatacannotbeprocessedforapurposeincompatiblewiththepurposeoriginallyspecified,isofmajorimportancewithregardtodatamadepublicunderspecificcircumstances.
Particularattentionshallalsobegiventotheprincipleoflimitationoftheperiodofstorageofpersonaldata.
Thosedatashouldbeerasedafterareasonableperiod,inordertoavoidtheconstitutionofprofilesthatgathere.
g.
messagessentbyanindividualtoanewsgroupduringseveralyears.
Thoseindividualsshallbemadeawareofthedurationperiodforeseenforthestorageandtheavailabilityonlineofsuchpublicdata.
Atthepresenttime,problemsresidemainlyinthelackofinformationforbothdatasubjectsanddatacontrollersaboutthelegalprovisionstobeobserved.
Inordertoimprovethesituation,themainobjectiveistostepupeffortstoachievegreatertransparencyontheInternetandtoharmonisetheinterpretationoffundamentalprinciplesconcerningthedatasubject'scontrolofhis/herdata.
Directive97/66/EC,initsrevisedversionof12July2000,offersawelcomeopportunitytoharmonisesomeoftheseissues.
63CHAPTER7:ELECTRONICTRANSACTIONSONTHEINTERNETI.
IntroductionElectroniccommercecanbedefinedas"anyformoftransactioninwhichtheactorsinteractelectronicallyratherthanbyphysicalexchangesordirectphysicalcontact".
129Thisdefinitioncoverstransactionsinvolvingthepurchaseofgoodsorservicesandalsothoseusedtoimprovethequalityofservices,ortheprovisionofnewservicesbyprivateorpublicorganisations.
GiventheabovedefinitionandbearinginmindthatthemainpurposeofthischapteristostudyInternet-relatedissues,itwillfocusontransactionsthatoccurthroughtheInternet,leavingasideanyotherformofinteractioncarriedoutbyprivateorpublicnetworks.
Theimpactofelectronictransactionsisexpectedtobefeltworld-wide,aselectroniccommerceis,bydefinition,globalandenableseverycompany(regardlessofsizeorturnover)toofferandsellitsproductsthroughouttheworld.
Electronictransactionsalloworganisationstobemoreefficientandflexible,toworkmorecloselywithsuppliersandtofulfiltheneedsandexpectationsoftheircustomersinwaystheyhadpreviouslyonlydreamtof.
However,ahugeamountofinformationisneededtoachieveallthesegoalsandthiscouldentailtheinvasionofessentialareasofindividualprivacy.
II.
ActorsThemainactorsinvolvedinelectronictransactionsare:-theuser,inthecontextofDirective95/46/EC,thenaturalpersonwhowantstobuyaproductordemandsaservice130,-thetelecomsoperator,whoisnotspecificallyinvolvedine-commercetransactionsbutplaysakeyroleinconveyingthesignalsthatmakeeveryformofelectronictransmissionofdatapossible.
Thisactorhasspecificsecurityobligationsarisingfromthedirectives.
-theInternetServiceProvider(ISP)providingaccesstotheInternet,-theelectronicmerchant-theentitywhichoffersproductsorservicesthroughtheInternet,-thefinancialplatformneededinmostcasesandinvolvingboththemerchant'sbankandtheconsumer'sbankandapaymentgatewaydealingwiththenecessarytechnicalaspectstoauthorisethefinancialoperationandthepayment.
Thispaymentgatewaydealswithalltheconnectionsamongfinancialinstitutionsenablingtheexchangeofelectronicmoneybyensuringthatalltheactorsmeetthenecessaryrequirementstoaccomplishthetransaction.
-TrustedThirdParties.
Inthemostcomplexandsecurecasestheseareneededtoauthenticatethepartiesandprovidestrongenoughencryptiontoensuretheconfidentialityofthetransaction.
Threedifferentmodelsforelectronictransactionscanbeidentified,dependingontheformsoftradingandtheactorsoroperatorsinvolved131.
129InformationSocietyProjectOfficeoftheEuropeanCommission,ElectronicCommerce-AnIntroduction(http://www.
ispo.
cec.
be/ecommerce/answers/introduction.
html)130Mostelectroniccommercetransactions(around90%)arecarriedoutnowadaysbetweencompanies,i.
e.
legalpersons,whicharenotcoveredbyDirective95/46/EC(seeArticles2a)and3.
1)641)Onlinedeliveryofintangiblegoodsandservices.
MainlyusedbysoftwarehousesandcommunicationsenterprisesforwhichtheInternetinfrastructureisidealfortheremotereal-timedistributionandsaleoftheirproducts.
Theserangefromsoftware,videofilms,gamesandon-linemusictosubscriptionstoon-linejournals,magazinesortechnicalsupportprogrammes.
Inthiscase,apartfromtheobvioussavingsgainedbydirectaccesstotheconsumers,thusavoidinganydependencyonintermediaries,thereisagreatadvantageforcompanieswhichengageinthistypeofcommerce.
Theycanobtainpreciseandaccurateknowledgeofthefinalconsumer,his/herhobbies,interestsandbuyingpatterns.
Thiscategoryalsocoversmostoftheservicesofferedbypublicsectororganisations,suchason-lineself-assessedtaxpaymentsorreturns,electronicapplicationsorrequestsforwelfarepaymentsandfollow-upactions.
2)Electronicorderingoftangiblegoods.
Thiscategoryincludesmanydifferenttypesofcompanies.
Firstofall,largeenterprisesusingtheInternettoobtaindirectaccesstotheconsumer.
IThardwaremanufacturersorretailershavebeenthefirsttousethiscommercialchannel,whichiseasytounderstandduetothenatureoftheInternetuser.
Nowadays,anincreasingnumberofenterprisessellclothing,perfumes,books,CD's,flighttickets,etc.
TheInternetgivessmallandmedium-sizedcompaniestheopportunitytodevelopnewcommercialactivitiesonascalewhichwouldbeunattainableusingtheirtraditionalresources.
Infact,assomeobservershavenoted,thereisabigdifferencebetweentheinitialinvestmentneededtoofferahundredthousandmusicCDsthroughanelectronicshopontheInternet,andtryingtodothesamebyopeningashopinacitycentre.
Furthermore,allelectroniccommercesitesdeliveringtangiblegoodsultimatelydependonalogisticalorganisationtodelivertheitemstothefinalconsumerathisorherhomeaddress.
TheselogisticalorganisationsarecurrentlyinvestinginInternettechnologiestosupporttheelectronicorderingandtracingofshipmentsbetweenpartnercompaniesandbetweenthelogisticalcompanyandthefinalconsumer,sothatalltheparticipantscanfindoutinreal-timewheretheorderedgoodsareandwhentheyareexpectedtoarrive.
Inthiscontext,itisquitepossiblethatcertaindistributorsandlogisticalexpertswilldecidetomergeinthenearfuturetomakeuseofthekeyinformationpossessedbythelogisticalcompaniesonthedistributionprocess(collectionanddeliveryaddressesmainly).
3)Commercialnetworksandshoppingmalls.
On-linecommercedoesnotexcludetraditionaldistributorswithnosubstantiveknowledgeofthenewtechnologies.
TheyhavetheoptiontojoinastructurecalledInternetmallswhichgivethemwiththechancetocombinetheirwaresintheshowcaseofanelectronicshoppingmall.
Inmalls,shopsareclassifiedaccordingtocategoriesandvisitorsuseaninternalsearchsystemtofindalistofsitesofferingthedesiredproduct.
Advertisingbannerscouldbetargetedonthebasisofkeywordstypedorshopsvisited,andtheInternetmallprovidesasecurepaymentinfrastructureforitsmembers.
Dependingontheirrole,Internetshoppingmallsoftencollectverydetailedandaccurateinformationaboutthevisitorsandbuyers(shopsvisited,interests,buyingpatterns,addresses,personaldetailsandpaymentinformation)thatcanbeofgreatinterestinestablishingcustomerprofileswhendevelopingadvertisingormarketingstrategies132.
131ThefollowingclassificationhasbeentakenfromthestudybytheCommissionoftheEuropeanCommunities"On-lineservicesanddataprotectionandtheprotectionofprivacy".
Itcanbefoundathttp://europa.
eu.
int/comm/internal_market/en/media/dataprot/studies/serven.
pdf132ThewayinwhichthisinformationiscollectedisexplainedinmoredetailinChapter5onsurfingandsearching65Theroleofthesemallsmaychangeinthefutureiftheyareintegratedintowidersites,theso-calledportals,whichareweb"supersites"providingavarietyofservicesincludingwebsearching,news,whiteandyellowpagesdirectories,freee-mail,discussiongroups,onlineshoppingandlinkstoothersites.
Thesemodernportalsareofferingevergreateropportunitiesforshoppingonaworld-widebasis,throughbothclassifiedadvertisementsandsearchengines.
Andnothingpreventstheseportalsfromoffering,sometimeinthenearfuture,theirownsecurepaymentplatformsandintelligentuseragentswhocansearchtheWeb,negotiateprices(includingeventheprivacytermsofacommercialengagement)133andconcludeagreementsonbehalfoftheconsumer.
III.
SecurepaymentsThegrowingimportanceofelectroniccommercemeansthatpaymentsystemsareneededforthesaleofgoodsandservices.
ConcernsaboutthesecurityrisksofsendingcreditcarddetailsovertheInternetandthepossibilityofconfidentialpersonalinformationbeingdisclosedtounauthorisedthirdparties,aretwoofthelimitingfactorsontheexpansionofelectroniccommerce.
Severalmethodshavebeen,andarestillbeing,developedtoaddresstheseconcerns.
Nowadays,themostcommonistheSecureSocketsLayer(SSL)134,whichisimplementedinthemostpopularbrowsersandestablishesasecurechannelbetweentheconsumerandmerchantcomputers.
Thisisachievedbymeansofencryptionanddigitalcertificates.
ThebasicoperationprocedureofSSLworksinthefollowingway.
Beforethemerchant'scomputer(server)canbeginasecureconnectionwiththeconsumer'scomputer(client),theclientneedstoensurethatitisconnectedtoasecureserver.
Toverifytheidentityoftheserver,theserver'sdigitalcertificateisused.
Aftertheserverisauthenticated,theclientandservercanencryptdatatoeachotherandensuretheintegrityofthatdata,includingthecreditcardnumberusedinthetransactionandanyotherpersonaldetails.
ItshouldbenotedthatSSLdoesnotenablethecustomertohavecontroloverthesubsequentuseorprocessingofhis/herpersonaldatamadebythemerchant,andthattheauthenticationoftheclientisnotmandatory,makingfraudthroughthemisuseofsomebodyelse'sidentityapossibility.
Inordertodealwiththesedifficultiesandprovideatotallyreliableframeworkforelectroniccommercialtransactions,somecreditcardcompanieshavejointlydevelopedanewprotocolwiththesupportofthemainsoftwaredevelopers.
TheprotocoliscalledSecureElectronicTransactions(SET)andprovidesforconfidentialtransmissions(usingencryption),authenticationoftheparties(cardholder,issuer,merchant,acquirerand133Opinion1/98:PlatformforPrivacyPreferences(P3P)andtheOpenProfilingStandard(OPS)adoptedbytheWorkingPartyontheProtectionofIndividualswithregardtotheProcessingofPersonalDataonJune16,1998.
(http://europa.
eu.
int/comm/dg15/en/media/dataprot/wpdocs/index.
htm).
SeealsothebookbyHAGELIII,J.
andSINGER,M.
,NetWorth:theemergingroleoftheinformediaryintheraceforcustomerinformation,HarvardBusinessSchoolPress,1999andthereportIntelligentsoftwareagentsandprivacy,byJ.
BORKING,B.
M.
A.
VANECKandP.
SIEPEL,RegistratiekamerincooperationwiththeOntarioInformationandPrivacyCommissioner,Achtergrondstudiesandverkenningen,January1999,availableatwww.
registratieakamer.
nl134AcompletedescriptionoftheSSLsystemcanbeconsultedinhttp://developer.
netscape.
com/tech/security/ssl/howitworks.
htmlandhttp://home.
netscape.
com/eng/server/console/4.
0/help/app_ssl.
htm66paymentgatewayviadigitalcertificates)andintegrityandnon-revocationofpaymentinstructionsforgoodsandservices(throughdigitalsignatures)135.
Astheaforementionedsystemisnotparticularlysuitablewhenalargenumberofsmall-valuetransactionsarerequired,analternativemethodcalledelectronicmoneyore-cashisbeingdeveloped.
Thegeneralprincipleistodownloadmoneyontotheharddiskofacomputer(or,inthenearfuture,ontothechipofasmartcard).
Eachtimeanon-linepaymentismade,theusertransfersmoneyunits(tokens)fromhis/hercomputerorsmartcardtotheaccountofthetraderorserviceprovider.
Thereareseveralcompetingtechnologiesinthisarea.
Themostinterestingfromthepointofviewofprotectingpersonalinformationarethecompletelyanonymouspaymentsystemsbasedonablindsignaturemechanism136.
Thesemechanismscouldpreventthetracingoftransactions,asthebankthat"signs"thee-cashdoesnotlinktheconsumertoaspecifictransaction.
IV.
PrivacyRisksRegardlessofthetypeoftransactionexecutedorthepaymentsystemused,theessentialdifferencebetweenthephysicalworldandtheelectronicworldisthat,intheformer,therearealotofactivitiesthatcanremainanonymous(lookingatshowcases,walkingthroughvariousshops,examiningdifferentproductsand,ifyoupayincash,purchasinggoods),whereasinthelattereverythingcanberecorded,addedtopreviousorfreshlygeneratedinformationandprocessedalmostwithoutcosttoproduceenrichedinformationoneveryindividual.
Anditcanbedonenotonlywithouttheconsentofthecitizenconcerned,butevenwithouthisorherknowledge.
Moreover,withthecurrentdatawarehouseanddatamining137technologies,enormousamountsofinformationcanbeprocessed,notonlyinordertoselectindividualsthatmeetsomerequirementsorcriteriabutalsotodiscoverhiddenrelationshipsamongapparentlyunconnecteddata,thusmakingexplicitsomepatternsofbehaviourwhichcouldbeusedtotakecommercialoradministrativedecisionsregardingcertaincitizens.
Inmostcases,whenadatasubjectcarriesoutapurchaseorengagesinaservicesuchasasubscription,itismandatorytosupplypersonaldetailstothemerchantorserviceproviderinordertoauthenticatethebuyer,givepaymentguaranteesorprovideaphysicalorelectronicaddressforthedeliveryofthegoodsorservices.
So,unlessyoupayusinge-cashoruseprivacy-enhancingtechnologiestohideyourIPaddressandbuyanintangiblegood,anonymityisseldomapossibilityatthepresenttimeontheWeb.
135UsingSETduringatransaction,thepartiesinvolvedcommunicatebymeansoftwopairsofuniqueandasymmetricalencryptionkeys:publicencryptionkeysforsigningthedocumentsrelatingtoatransaction,i.
e.
thepurchaseoffer,andprivatekeysincludingadigitalsignaturefortheactualtransaction,i.
e.
thepaymentinstruction,whichensurestheintegrityofthetransmissionandthattheorderwillnotberevoked.
Itoperatesasadualsignature:thetwokeysinteractinsuchawaythatapaymentcannotbevalidunlessthepurchaseofferisacceptedbythemerchant,whiletheactualorderisnothonouredunlessthepaymentisapprovedbythefinancialinstitution.
Thetraderhasnoknowledgeofthepaymentinstructionswhilethebankdoesnothaveaccesstothecontentsoftheorder.
ForadetailedfunctionaldescriptionofthecomplexSETprotocol,seeSETSecureElectronicTransactionSpecificationBook1:BusinessDescriptionthatcanbefoundathttp://www.
setco.
org/download.
html.
SeealsoGARFINKEL,S.
,Websecurityandcommerce,Oreillyassociates,June1997,chapter12:UnderstandingSSLandTLS.
136Foratheoreticaldiscussionofhowthesesystemsworksee,CHAUM,David"ACryptographicInventionKnownasaBlindSignaturePermitsNumberstoServeasElectronicCashortoReplaceConventionalIdentification.
TheAuthorHopesItMayReturnControlofPersonalInformationtotheIndividual"http://www.
eff.
org/pub/Privacy/chaum_privacy_id_Article,whichappearedinScientificAmerican,August1992137SeetheRegistratiekamerreport(BORKING,J.
,ARTZ,M.
andVANALMELO,L.
),Goudenbergenvangegevens:overdatawarehousing,dataminingenprivacy,Achtergrondstudiesenverkenningen10,September1998,availableatwww.
registratiekamer.
nl67Thischapterwillthereforeconcentrateontherisksassociatedwiththesecondaryunauthoriseduseofpersonaldataandthoserelatedtoabreachofconfidentialityorimpersonation.
1.
Oneofthemoreusualsecondaryusesofpersonaldataisadvertising.
Oncetheindividualhasbeenidentified,whetherheorshesuppliedtheinformationwhenloggingintotheserverorbymeansofothertechnologicaldevicessuchascookies,previousinformationabouttheindividualisusedtocustomiseadvertisementsdependingonhis/herhabits,interests,clickstreamorbuyingpatterns.
Andnotonlyadsreferringtothewebsiteownerofservicesoroffers,butalsothoseissuedbythirdpartieswhichhaveagreementstosupportthefinancialcostofrunningtheserverbydisplayingitspublicity.
TheparadigmsofInternetadvertisingarethetechniquesusedbypublicityagencessuchasDoubleClick.
DoubleClickactivitiesarebasedonsupplyingadvertisingspaceontheNetandmakingiteasyforadvertiserstochoosethespacethatwillprovideasuitablebasefortheircommunicationactivities.
TheotherkeyelementinDoubleClick'ssuccessistheITtechnologywhichmakesitpossibletoisolateidentificationcriteriaandofferadvertiserstoolsfortheindividualtargetingofusers.
ThistechnologyusesadatabasecontainingdataonseveralmillionInternetusers,thusensuringthatonlythedesiredtargetaudiencewillbecontactedbytheiradvertisingcampaigns.
Toachievethis,DoubleClickcollectsandprocessespersonaldatawhichmakeitpossibletoidentifyusers,describetheirhabitsanddetermine,inrealtime,thoseelementsofthepopulationthatarelikelytomeetthetargetingcriteriaofcurrentadvertisingcampaigns.
DoubleClickassignsauniqueidentificationnumbertoeveryuserthatvisitsoneofthewebsitesintheDoubleClicknetworkandpostsacookie,whichislaterusedtoidentifytheuserwhenhe/shelogsontoanotherDoubleClicksiteand,accordingtohis/herdata,tocustomisethemostsuitableadforhim/her.
Evenifthevisitordoesnotacceptthecookie,his/herprofilecanstillbecreated,especiallyifhe/shehasastaticIPaddress.
ThepersonaldatarecordedintheDoubleClickdatabaseare:thepermanentpartoftheIPaddress,i.
e.
theNetaddress,domain,country,state(US),postcode,SICcode(StandardIndustrialClassificationSystemcode,US),sizeandturnoverofthecompany(optionally),operatingsystem,versionnumber,serviceprovider,identificationnumber(assignedbyDoubleClick),referencingofbrowsingactivities(collectionandanalysisofthesitesvisitedbytheuser)138.
DoubleClickmergedwithAbacusDirectCorporationonNovember23,1999.
Abacus,nowadivisionofDoubleClick,willcontinuetooperateAbacusDirect,thedirectmailelementoftheAbacusAlliance.
Inaddition,itwasannouncedthatAbacushasbegunbuildingAbacusOnline,theInternetelementoftheAbacusAlliance.
AccordingtoinformationplacedontheDoubleclickwebsite,AbacusOnlineportionoftheAbacusAlliancewillenableU.
S.
consumersontheInternettoreceiveadvertisingmessagestailoredtotheirindividualinterests139.
Withregardtotheaforementionedmerger,aCaliforniacitizenfiledacomplaintintheSuperiorCourtoftheStateofCaliforniaseekinganinjunctionagainstDoubleClickforunlawful,misleadinganddeceptivebusinesspracticesontheInternetwhichviolatethePrivacyRightsoftheGeneralPublic.
ThecomplaintalsostatedthatDoubleClickmisleadsandhasmisledtheGeneralPublic"(.
.
.
)intoafalsesenseofprivacyandsecurityregardingtheirInternetuse,whiledeceptivelyacquiring,storingandsellingmillionsofInternetusers'mostprivateandpersonalinformationforprofit.
(.
.
.
)Whenan138AsmentionedinthestudyOn-lineservicesanddataprotectionandprivacy,byGAUTHRONET,S.
andNATHAN,F.
,publishedbyCommissionoftheEuropeanCommunity.
Availableathttp://europa.
eu.
int/comm/internal_market/en/media/dataprot/studies/serven.
pdf139www.
doubleclick.
net:8080/privacy_policy/68Internetuservisitsaparticipatingwebsite,auniquelyidentifiedcookieisplacedinhisorhercomputer.
Then,whenthatuservisitsawebsitethathasinformationabouttheuser'sidentity(.
.
.
),theuser'sidentityislinkedwiththeidentifyingcookie.
Thedefendants,throughusingtheAbacusdatabase,arethenabletoobtainapotentiallyvastamountofpersonalinformationabouttheuser.
Inaddition,theInternetuser'sbuyinghabits,responsestoadvertisingandthewebsitesheorshevisitsaretrackedandrecorded"140.
DoubleClickaffirmsthat,followingthepublicreactionstothisprojectoflinkingtheirdatabasewiththedatabaseofAbacus,theeffectivestepstolauchsuchmatchinghavenotbeentakenuptonow.
AnotherexampleofhowpersonaldatacanbeprocessedinawaywhichtheordinaryInternetuserdoesnotexpect,istheworkcarriedoutbySurfAid,asmallcompanywhichispartoftheIBMGlobalServicesdivisionbasedinSomers(NewYork)141.
Thiscompanyreceivestheaccesslogfilesofitscustomersonadailybasisandpre-processesthesefilestofindouttheroutefollowedbyvisitorstotheclientwebsite.
Then,somepowerfuldataminingtoolsareusedtoexploretheclient'sfile,whichinsomecasescontainsmorethanonehundredandfiftymillionshits,andproduceadailyreportaccessibletotheclient.
Afterwards,theclientscanuseOLAPprogramstobreakdownandanalysetheinformation.
2.
Anotherriskthatindividualsfacewhenconductingelectronictransactions,isthebreachofconfidentialityoftheinformationtransmitted.
SincetheInternetisanopenpublicnetworkwithwellknownprotocolsfocusingmoreonsharinginformationthanonprotectingitsconfidentialityorsecurity,itisnotverydifficultforanyonewithsometechnicalknowledgetofindanumberofsoftwaretoolstointerceptanddisclosethedatatransmittedontheInternet.
Itisalsopossibletoimpersonateacompanyorinstitutiontoobtaininformationthatmightlaterbeusedtocommitsomekindoffraudorcrime.
3.
Thereisanewformoftradedeveloping:mobilee-commerce,whichisbasedonthethirdgenerationofcellularphonesandotherhandhelddevicesthatcanhavesecureaccesstoe-mailandwebpagesusinganewprotocol142.
Consequently,locationandtrafficdataaswellastravellingpatternsmightbeaddedtothetransactionalandbrowsingdatatoproduceanevenmoreaccurateprofileoftheconsumer.
And,whenonetakesintoaccountthemergersandconcentrationsamongtelecomcompanies,serviceproviders,portalsandcontentcompanies,thepossibilityofaggregation,integrationandjointprocessingincreasesexponentially.
Asasimpleexampleofwhatmayhappeninthenearfuture,itisforeseeablethatadvertisementscouldfollowpeopleeverywherethroughtheircellphonesorpersonaldigitalassistants.
"It'saglobalpositioningtypeoftargetingandit'snotthatfaraway"aspokespersonforDoubleClickhasannounced143.
AnotherexampleisthejointprojectbetweenYahoo!
andCellPointSystemsABtoco-marketaperson-to-personlocatorusingcellphones.
TheYahoo!
Find-A-Friendsystemcanbeusedtoobtaininformationsuchas:"JohnisclosetoPiccadillyCircus,about3.
2kmnorth-westofyou"byusingtheresourcesoftheGSMcellphonenetwork.
Eventhoughconsentisrequiredtobepartofthisscheme,theexampleshowsthenew140HarrietM.
Judnickv.
s.
DoubleClick,Inc.
141WATTERSON,Karen,Lamineríadedatosyaesunatendenciadominante;DATAMATION(SpanishEdition),February2000142WirelessApplicationProtocol(WAP).
143JaneWeaver,MSNBC,16/04/200069capabilitiespresentinnewtelecommunicationstechnologieswhichallowpeopletobetracedthroughmobiledevices144.
V.
LegalanalysisFirstofall,itshouldberememberedthat,aswasexplainedindetailinChapter3,thedataprotectionrulescontainedinDirective95/46/ECandDirective97/66/ECapplytotheInternetandtothepersonaldataprocessedinelectronictransactions145.
Thefollowingparagraphswillfocusonthoseaspectsoftheselegaltextswhichareespeciallyrelevanttothefieldofelectronictransactions.
Lawfulnessoftheprocessing:finalityprinciple(Articles5-7ofDirective95/46/EC)Thefirstaspecttoconsideristhefairandlawfulcollectionandprocessingofdata,includingthefinalityandproportionalityprinciples.
Inthecontextofelectronictransactions,itisimportanttoconsiderthefactthatpersonaldatamightbecollectedinawaythatisinvisibletothedatasubject.
TheWorkingPartyhasfrequentlystateditsconcernaboutallkindsofprocessingoperationspresentlybeingperformedbysoftwareandhardwareontheInternetwithouttheknowledgeofthepersonconcernedandwhicharetherefore"invisible"tohim/her146.
WhenpersonaldataarecollectedfromtheInternetuser,clearinformationshouldbegiventothedatasubjectaboutthepurposeoftheprocessing,andontherecipientsorcategoriesofrecipientsofthisinformation,sothathe/sheisabletodecidewhethertocarryoutthetransactionunderthesaidconditions.
Inaddition,secondaryusesofpersonaldatashouldalsobemadeexplicitandconsentmustbeobtained,shouldthesecondaryusesnotbeconsideredcompatiblewiththemainpurpose.
Examplesofincompatiblesecondaryusesarethecommunicationoftransactionaldatatothirdpartiestoallowthemtoestablishbuyerprofilesfortheiradvertisingcampaigns147,ortousedataminingtoolstoextractbehaviourpatternsfromthelistofnamesofwebsitesvisitedbyanInternetuser.
Itshouldalsobenotedthatthedatasubject'sconsenttoprocesshis/herpersonaldataintheframeworkofacommercialelectronictransactionisnotrequiredforthecollectionofthedatanecessarytoaccomplishthetransaction.
Thisinitselfisalegitimategroundtoprocessthepersonaldataoftheuserrequiredforthispurpose,asstatedinArticle7b)ofthedirective.
Anyotherrelateddata,includinginvisibledatawhichareinnowayneededtoachievethetransaction,canonlybeprocessedonthebasisofotherlegitimategroundslistedinArticle7ofthedirective-i.
e.
unambiguousconsent,compliancewithlegalregulations,vitalinterestofthedatasubjectorlegitimateinterestsofdatacontrollerswhicharenotoverriddenbythefundamentalrightsorfreedomsofthedatasubject.
Thisisalsovalidforgovernmenttransactionssincethelegitimacyofthecollectionandprocessingofpersonaldatabypublicbodiesarisesfromlegalregulations148.
144Forfurtherinformation,seehttp://www.
cellpt.
com/v2/000504.
htm145ProcessingofpersonaldataontheInternet.
WorkingdocumentadoptedbytheWorkingPartyontheProtectionofIndividualswithregardtotheProcessingofPersonalDataonFebruary23,1999.
(http://europa.
eu.
int/comm/dg15/en/media/dataprot/wpdocs/index.
htm)146Recommendation1/99onInvisibleandAutomaticProcessingofPersonalDataontheInternetPerformedbySoftwareandHardwareadoptedbytheWorkingPartyontheProtectionofIndividualswithregardtotheProcessingofPersonalDataonFebruary23,1999.
(http://europa.
eu.
int/comm/dg15/en/media/dataprot/wpdocs/index.
htm)147Directive95/46/EC,Article14(b)148SeealsoChapter6foradiscussiononthepurposespecificationprincipleappliedtopubliclyavailabledata.
70AsecondaryusethatisfrequentlymentionedbydatacontrollersofpersonalwebsitesisthetechnicalmaintenanceanddimensioningoftheITequipment.
Thisisobviouslyalegitimateconcerninordertoofferagoodservicetocustomers,butonewhichcanbefullymetwithunidentifiabledata,sinceonlyaggregatefiguresareneededtodimensionthecomputersandtelecommunicationlines.
Datacontrollersmayonlykeeppersonaldatafortechnicalreasonsifthisisstrictlynecessaryforthispurposeandoneofthelegitimategroundsforprocessingdataisapplicableinthiscase.
Informationtothedatasubject(Article10ofDirective95/46/EC)Furthermore,clearinformationmustbeprovidedbythedatacontrollertothedatasubject,includingtheidentityofthecontroller,thepurposesoftheprocessing,therecipientsoftheinformation,whetheranswersareobligatoryorvoluntaryandthepossibleconsequencesofanyfailuretoreply,andtheexistenceoftherightofaccessandtherighttorectifythedataconcerningthedatasubject.
Inthecasethedatasubjectisentitledtoobjecttotheprocessing,he/sheshouldbemadeawareofthat.
Theinformationshouldbegiventothedatasubjecteitherdirectlyonthescreenwheretheinformationiscollectedorthroughaboxprompt,asexplainedinchapter5.
Itisveryeasyforwebsitestoprovidethedatasubjectwiththisinformationandtoascertainthatthedatasubjecthasatleasthadtheopportunitytoreaditbydisplayingitasamandatorypartofthetransactionprocess,beforeanydecisionhasbeenmadebytheconsumer.
Inordertobecompletelysurethattheclausesdisplayedhavenotbeenmodifiedlater,theycanincludeanelectronicsignatureoftheclausescreatedwiththemerchant'sprivatekey.
Inthiswaytheuserhasproofofwhichconditionshe/sheagreedto.
ThisideaseemstoimplementArticle10,paragraph3,ofthee-commercedirectivewhichstatesthatcontracttermsandgeneralconditionsprovidedtotherecipientmustbemadeavailableinawaythatallowshimtostorethemandreproducethem149.
Preservationofpersonal/trafficdata(Article6ofDirective95/46/ECandArticle6ofDirective97/66/EC)Article6.
1e)ofthedirectivecontainsanobligationnottokeepidentifiabledatalongerthanrequiredforthepurposeforwhichthedatawerecollected.
Withregardtotrafficdata,thestrictlimitationsimposedbyArticle6ofDirective97/66/ECmustbeobserved:trafficdatamustbeerasedormadeanonymousoncethecommunication(inthiscasetheelectronictransaction)hasbeencompleted.
TheWorkingPartyhasaddressedthespecificissueofthepreservationoftrafficdatabyInternetServiceProvidersforlawenforcementpurposesinitsrecommendation3/99150.
Thisrecommendationunderlinesthefactthatinprincipletrafficdatashouldnotbekeptonlyforlawenforcementpurposesandthatnationallawsshouldnotobligetelecommunicationsoperators,telecommunicationsservicesandInternetServiceProviderstokeeptrafficdataforaperiodoftimelongerthannecessaryforbillingpurposes151.
149Directive2000/31/ECof8June2000.
150Seehttp://europa.
eu.
int/comm/dg15/en/media/dataprot/wpdocs/index.
htm151SeealsointhisrespecttheofficialdeclarationoftheEuropeanDataProtectionCommissionersinStockholmabovementioned,accordingtowhich,wheretrafficdataaretoberetainedinspecificcases,theremustbeademonstrableneed,theperiodofretentionmustbeasshortaspossibleandthepracticemustbeclearlyregulatedbylaw.
71Automatedindividualdecisions(Article15ofDirective95/46/EC)Asmentionedbefore,datarelatedtotransactionscannotbekeptindefinitely.
Thisisespeciallythecasewhendataareintendedtobeusedinautomateddecisionsconcerningindividuals(suchasrefusingarequestordenyingthecompletionofapurchase)basedonpreviouslystoreddata.
Ifthisisthecase,appropriateguaranteesshouldbegiventothedatasubject152.
Theseguaranteesincludetherightforeverypersonnottobesubjecttoadecisionwhichsignificantlyaffectshimorherandwhichisbasedsolelyontheautomatedprocessingofdata,unlessagreedunderacontractorauthorisedbylaw,andtherighttoknowthelogicinvolvedinanyautomaticprocessingofdataconcerningthedatasubject.
Rightsofthedatasubjects(Article12ofDirective95/46/EC)Itisalsomandatorytoestablishclearandefficientprocedurestoallowdatasubjectstoexercisetheirrightsofaccess,rectification,erasureorblocking.
Whendatasubjectsexercisetheirrights,thecontrollershallprovidethemwithtransparentinformationaboutwhetherthereis(ornot)personaldataregisteredinthedatacontroller'sfilesand,ifthisisthecase,whichdataarebeingprocessed,thesourceofthese,thepurposesoftheprocessing,thecategoriesofdataconcernedandtherecipientsorcategoriesofrecipientstowhomthedataareintendedtobedisclosed.
Thisinformationshouldbemadeavailableinanintelligibleformand,inthecontextofelectronictransactions,itisrecommendedthattheinformationbegiventhroughtheon-lineconnectionestablished,providingthedatasubjecthasnotaskedtoreceiveitinanyotherstandardway.
Averyimportantissueregardingaccesstodatarelatedto,orcollectedthrough,electronictransactionsisthedatasubject'srighttoobtaininformationnotjustonthebasicorprimarydata,butalsoonthederivedorconsolidatedinformation.
Thismeansthat,ifsometypeofprofiling,classificationordivisionintocategorieshasbeencarriedout,ordataobtainedfromthirdpartieshasbeenadded,thisprocessedinformationshouldalsobemadeavailabletotheindividual,asspecifiedinArticle12a)oftheDirective.
Obligationsofthedatacontroller:confidentialityandsecurity(Articles16and17ofDirective95/46/ECand4and5ofDirective97/66/EC)Whenitcomestheissuesofconfidentialityandsecurity,datacontrollersmusttakeappropriatemeasurestoprotecttheinformationsuppliedbytheircustomersagainstunauthorisedaccessordisclosure-inparticular,whentheprocessinginvolvesthetransmissionofdataonanetwork,asisthecasewithelectronictransactionsontheInternet.
Thesemeasuresmusttakeintoaccounttheriskstosecurityandconfidentiality,thenatureofthedataandstateofthearttechnology.
Applicablelaw(Article4ofDirective95/46/EC)AnotherissuecausingconcernregardingelectroniccommerceontheInternetisthelawapplicabletotheprocessingofpersonaldatacollectedfromwebsitesoutsidetheEU/EEA.
Thisraisesanumberofproblematicissueswhichshouldbeanalysedonacase-by-casebasis.
Thatanalysisshould,however,bearinmindthattheprovisionsofDirective95/46/ECclearlyapplytoprocessingoperationscarriedoutusingequipmentwhollyorpartlylocatedintheterritoryoftheEU,evenwhenthedatacontrollersarelocatedoutsidetheCommunity153.
152Seealsoarticle12.
1(a)3rdparagraphofDirective95/49/EC.
153Forfurtherdetails,seeChapter3.
72VI.
ConclusionsClearandunderstandableinformationshallbeofferedtothedatasubjectinfullcompliancewiththeinformationprinciple.
Morespecifically,dataprotectioninformationwhichiscloselyrelatedtothefulfilmentoftheelectronictransactionshouldbedisplayedasacompulsorystepintheprocessoftheelectronictransactioninordertoensurethatthisinformationhasbeenmadeavailabletotheindividual.
Thismustbeunderstoodregardlessoftheinformationgiventonon-buyerwebsitevisitors.
Asasupplementarymeasure,adigitalsignatureofthepersonaldataprocessingconditionsshouldbemadeavailabletothedatasubjectsothathe/shecanchecklaterthattheclauseshavenotbeenmodified.
Theproportionalityprinciplemustbefullyobserved.
Onlydatawhichisrequiredfortheelectronictransactionshouldbecollected.
Inaddition,theprocessingofanydata(especiallyifthedataareprocessedinawayinvisibletothedatasubject)mustbejustifiedonthebasisofoneofthelegitimategroundsinArticle7ofthedirective.
Whenthedatasubjectdecidesnottogiveanymorepersonaldetailsthanarerequiredfortheaccomplishmentoftheelectronictransaction,nodiscriminationshouldbeexercisedagainsthim/herintheconditionsofferedforthetransaction.
Nosecondaryprocessingmustbecarriedoutwithouttheknowledgeofthedatasubject,andfullinformationonthelogicinvolvedintheseprocessesmustbeprovidedtothedatasubjectwhenaccessissought.
Furthermore,theremustbeunambiguousconsentorsomeotherlegitimatingcriterialaiddowninDirective95/46/ECinordertomaketheprocessinglawful.
Subjecttoexistinglegalregulations,encryptiontechnologyshouldbeusedtoprotect,asfaraspossible,theconfidentialityoftheelectronictransactionsandtoguaranteetheintegrityofthemessagesbymeansofanelectronicsignature.
Whereneccesary,inordertosecuretransactions,itcouldberecommendedtomakeuseofdigitalcertificatestechnologyand,inparticular,ifahigherlevelofsecurityisneeded,thedigitalcertificatescouldbestoredinsmart-cards.
Fromthedataprotectionperspective,theopportunitytousesecureandanonymouspaymentmethodsisakeyelementforprivacyontheInternet.
ThecollectionandprocessingofpersonaldatausingautomatedorotherequipmentlocatedintheterritoryoftheEU/EEAaresubjecttotheprovisionsofCommunitydataprotectionlaw.
Withregardtotrafficdata,thestrictlimitationsimposedbyArticle6ofDirective97/66/ECmustbeobservedandRecommendation3/99onthepreservationoftrafficdatabyInternetServiceProvidersforlawenforcementpurposesshouldbetakenintoaccount.
73CHAPTER8:CYBERMARKETINGI.
IntroductionTheInternetisnotjustaworldwideinformationplatform,butalsoaworldwidemarketplacewherecompetingbusinessestrytoattractpotentialcustomers.
Successdependsonreachingasmanyconsumersaspossibleandespeciallythosereallyinterestedintheproductorserviceofferedbythebusiness.
Toachievethis,theyuseprofilesandtargetedadvertisementswhicharebasedontheseprofilesandlaunchedbybannersplacedonwebsites.
Anotherwayofreachingconsumersiselectronicmailing,andsendinglargenumbersofunsolicitede-mailsrepeatedlytoe-mailaddresses(i.
e.
individuals)foundinpublicInternetspacesisoftenseenasthemosteffectiveway.
Thisunpopulartypeofelectronicmailingiscalledspamming"154.
Inbothcases,itisnecessarytohavepersonaldataontheconsumers.
ThesedataareofeneasilycollectedfromtheInternet.
ManyInternetusersdonotrealisethatwhilesurfingtheyleavebehindalargevolumeofdatawhichcanbeusedtomakeassumptionsabouttheirareasofinterest,preferencesandbehaviour155.
Targetedadvertisingcanbeacceptabletoacertainextent,whenitisintheconsumer'sinterest.
But,iftheuserdoesnotknowwhichdataarecollectedandbywhom,andforwhatpurposetheywillbeused,he/shewilllosecontrolofhis/herpersonaldata.
Itis,therefore,wrongtocollectthesedatawithouttheuser'sconsentandevenwithouthis/herknowledge.
II.
TechnicaldescriptionOnlineProfilingandAdvertising156Onlineprofilingcanbedoneindifferentways:-Awebsitecreatesprofilesbycollectingdataonitscustomersthatarebasedontheinteractionsbetweenthewebsiteandthecustomer.
Thisisdonebytheuseofcookies,whichtracktheuser'sactionsontheWeb.
Dependingonhowtheuser'sbrowserisconfigured,he/shemightnotbeawareofthefactthatthewebsiteisplacingacookie.
Usingthecustomer'sprofile,thewebsitewillofferthecustomerproducts(e.
g.
books)orreferencestootherwebsitesthatmaybeofinteresttothisuser.
-Inthefieldof"incentivecybermarketing",individualsmaytakepartinagameorcompetitionprovidedthattheydeliverpersonaldataasaninputforprofiles.
Inthiscase,thecollectionofdataisnormallycarriedoutwiththeknowledgeoftheindividualandthereforesubjecttohis/herpermission157.
-Networkadvertisingcompanies(e.
g.
DoubleClick,Engage158)manageanddeliverbanneradvertisements159(hereinafterreferredtoasbannerads)ona154SeeChapter4:e-mail,sectionV.
Analysisofspecificissues,spam.
155SeeChapter5:surfingandsearchingformoredetailsaboutthedatageneratedduringthesurfingprocess.
156InthiscontextitisimportanttomentiontheCommonPositionregardingOnlineProfilesontheInternet,adoptedbytheInternationalWorkingGrouponDataProtectioninTelecommunicationsatthe27thmeetingoftheWorkingGroupon4/5May2000inRethymnon/Crete.
Thetextofthisrecommendationisavailableat:http://www.
datenschutz-berlin.
de/doc/int/iwgdpt/pr_en.
htm157Thiswill,however,onlybethecasewhenthewebsiteofferssufficientinformationtotheuserconerningthedataprocessed,thefinalityoftheprocessing,theidentityofthecontroller,etc.
SeeArticle10oftheDirective.
158Formoredetailsonthetechniquesusedbysuchadvertisingcompaniessee:PrivacyRisksinChapter5,SurfingandSearchingandChapter7,ElectronicTransactionsontheInternet.
74contractualbasisfornumerouswebsites.
Thebanneradsareplacedontherequestedwebsiteviaaninvisiblehyperlinktotheadvertisingcompany.
Toprovidethecustomerwiththemostadequate"bannerad,thenetworkadvertiserscreateprofilesbyusingcookiessetviatheinvisiblehyperlink.
Dependingontheconfigurationofthebrowser,theusermaybeawarethatthecookieisbeingplacedandmayornotgivehis/herconsent.
Thecustomer'sprofileislinkedtotheidentificationnumberoftheadcompany'scookiesothatitcanbeenlargedeverytimethecustomervisitsawebsitewhichhasacontractwiththeadvertiser.
Afterhavingbeenanalysed,thecollecteddatacanbesupplementedwithdemographicdata(age,genderetc.
)andcombinedwithotherdatacharacterisingthegrouptowhichtheuserobviously-i.
e.
becauseofhis/heronlinebehaviour-belongs(e.
g.
interests,behaviour).
Thisanalysisandsupplementationworkcanbecarriedoutbyspecialprograms(especiallydataminingtools)whichareavailableonthemarket.
Theresultsoftheseproceduresareverydetailedprofileswhichallowthewebenterpriseorthenetworkadvertisertopredictthetastes,needsandpurchasinghabitsofaconsumerand,basedontheseassumptions,todeliverbanneradswhichmatchmostcloselytheconsumer'sinterests.
Whenthecollecteddata,gatheredthroughtheidentificationnumberoftheadvertiser'scookie,arenotlinkedtoidentifiabledata160ofaspecificperson,theycanberegardedasanonymous.
Butunderfrequentcircumstances,e.
g.
whenthecustomerfillsanorderformonthewebsitewheretheadvertiserhasplacedthebannerad,identifiabledatacouldbelinkedormergedwithexistingdataalreadyplacedonacookie,andprovideforanidentifiableprofileofthepersonconcerned161.
ElectronicmailingForacommercialmailingcampaign,acompanymustobtainanextensiveandappropriatelistofe-mailaddressesofpotentialusers.
Asstatedabove,itisoftenquitesimpletousetheresourcesavailableontheInternet.
Therearethreedifferentwaystocollecte-mailaddressesfromtheInternet162:directcollectionfromcustomersorvisitorsofwebsites,purchaseorhireoflistsprovidedbythirdparties163andcollectionfrompublicspaces164suchaspublice-maildirectoriesore-mailinglists,newsgroupsorchatrooms.
TherearesometoolsavailableontheInternettohelpcollecte-mailaddresses.
TheseprogramssearchwebsitesorpartsoftheUsenetwhichhavetobespecifiedinadvancebyalistofURLsorkeywordsrelatedtoapredefinedfieldofinterest(e.
g.
sports,travel)andsubsequentlyprovidealle-mailaddressesfoundonthesites/pagesorinthefora.
Thereareanumberofserviceswhichworkaslistbrokersincollectinge-mailaddressesandsellingorhiringthee-mailinglistsataverylowprice.
Furthermore,othertoolsspecialiseinsendinge-mailsasan"e-mailserviceprovider",i.
e.
withoutusinganISPoranyotherproviderofferingane-mailservice.
Theseprograms159Banneradvertisementsaresmallgraphicboxeswhichappearabove,orareintegratedinto,thewebsitecontent.
160Itshallbekeptinmindthatthedefinitionofidentifiabledataunderarticle2(a)ofDirectiveEC/95/46isverywide:"anidentifiablepersonisonewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentificationnumberortooneormorefactorsspecifictohisphysical,physiological,mental,economic,culturalorsocialidentity".
161SeeChapter3:applicationofdataprotectionlegislation;sectionI,Generallegalconsiderations:personaldataontheInternet.
162SeeChapter4one-mailformoredetailsaboutcollectionofe-mailaddresses.
163Theselistscanalsocontaine-mailaddressescollectedfrompublicspacesontheInternet.
164SeeChapter6onpublicationsandfora.
75ensureononehandthatalle-mailspamfiltersinstalledbythoseprovidersarebypassedandontheotherhandenableafastandautomaticoperation.
Ifrequiredbythesender,hecanusethehost-spammingservice,whereathirdpartyoperatesthespamming,whichisalsoofferedatalowprice.
III.
LegalAnalysisDifferentdirectivesmayapplytoonlineprofilingandelectronicmailing.
ThedataprotectiondirectiveThegeneraldirectivestatesthatpersonaldatamustbecollectedfairly,forspecified,explicitandlegitimatepurposes,andbeprocessedinafairandlawfulmannerinaccordancewiththosestatedpurposes165.
Processingmusttakeplaceonlegitimategroundssuchasconsent,contract,laworabalanceofinterests.
166Furthermore,theindividualhastobeinformedaboutintendedprocessingwhichalsoincludestransmissiontothirdpartiesbeforethattransmissiontakesplace167,andgiventherighttoobjecttotheprocessingoftheirpersonaldatafordirectmarketingpurposes168.
Thedatasubjectmustalsohavetherighttoaccessthedatarelatedtohim/herandtorectify,eraseorblockthesedata169.
ThedistancesellingdirectiveThedistancesellingdirective170requiresthatconsumers,attheveryleast,aregiventherighttoobjecttodistancecommunicationsoperatedbymeansofelectronicmail171.
ThespecificprivacyandtelecommunicationsdirectiveDirective97/66/ECgivesnationallegislatorsthechoiceofimplementing"optin"or"optout"rulesforunsolicitedcommercialcommunications172.
Caseswhereautomaticcallingmachinesorfaxesareusedformarketingpurposesaresubjecttopriorconsumerconsent173.
Thedefinitionofautomaticcallingmachines,whichisverylooselyworded,couldeasilybeappliedtoelectronicmail.
InJuly2000,theEuropeanCommissionproducedaproposalforanewdirectiveconcerningtheprocessingofpersonaldataandtheprotectionofprivacyintheelectroniccommunicationssectortoreplaceDirective97/66/EC.
Inthisproposal,thearticleonunsolicitedcommercialcommunicationsexplicitlyincludeselectronicmail,whichisonlypermittedinthecaseofsubscriberswhohavegiventheirpriorconsent.
165Directive95/46/EC,Article6.
166Directive95/46/EC,Article7.
167Directive95/46/EC,Article10.
168Directive95/46/EC,Article14.
169Directive95/46/EC,Article12.
170Directive97/7/ECoftheEuropeanParliamentandoftheCouncilof20May1997ontheprotectionofconsumersinrespectofdistancecontracts171Directive97/7/EC,Article10.
172Directive97/66/EC,Article12(2).
173Directive97/66/EC,Article12(1).
76Thee-commerceDirectiveThee-commercedirective174statesthatcommercialelectronicmailsmustbeidentifiedassuch175andthatopt-outregisters,inwhichindividualsnotwishingtoreceivesuchelectronicmailsmayregisterthemselves,mustberegularlyconsultedandobserved176.
Althoughneitherthegeneraldirectivenorthetelecommunicationsdirectiveexplicitlyrefertoe-commerce,theyhavetobeappliedinthisarea:therecitalsandArticle1paragraph5bofthee-commercedirectivemakeitclearthatthisdirectiveisinnowayintendedtochangethelegalprinciplesandrequirementscontainedintheexistinglegislativeframework.
Itfollowsthattheimplementationofthee-commercedirectivemustbecompletelyinlinewiththedataprotectionprinciplesdefinedintherespectivelegislation.
Therefore,nationaldataprotectionlegislationwillcontinuetobeapplicabletocompaniesresponsiblefortheprocessingofpersonaldata177.
Furthermore,MemberStatesmayimplementregulationsembodiedinthetelecommunicationsdirectiveandwhichgobeyondtherequirementsofthee-commercedirective,i.
e.
commercialcommunicationsmaybesubjecttothepriorconsentoftherecipient178.
IV.
ConclusionsTheruleslaiddowninthegeneraldirective,thee-commercedirective,thedistancesellingdirectiveandthetelecommunicationsdirectiveareapplicabletotheuseofelectronicmailingforcybermarketingpurposes.
Onlythegeneraldirectiveappliestoonlineprofiling.
Althoughitformspartofe-commerce,onlineprofilingisnotdealtwithinthee-commercedirective.
Furthermore,networkadvertisingisnotcoveredbytherevisedtelecommunicationsdirectiveeither,asprovidersperformingthisserviceareexplicitlyexcludedfromthescopeofthisdirective.
Itis,therefore,possibletoconcludethefollowing:OnlineProfilingandAdvertising179-InternetServiceProvidersmustinformusersabouttheintendedprocessingoftheirdatabeforethesearecollected180.
Thisincludesthetype,scopeandstorageperiodandthepurposesoftheprocessing,i.
e.
useforprofiling181.
Ifthedataaretransmittedtothirdparties,thismustalsobeexplicitlymentioned.
Thisinformationshouldalsobegivenincaseswheredataarecollectedusingpseudonymsornon-personalisedidentificationnumbers.
Inparticular,usersmustbeinformedbeforeanycookieusedforprofilingisplaced.
Thisshouldbedonebyaspecialbox(prompt)whichisactivatedevenifthebrowserdoesnotnotifytheuseraboutthesettingofthecookie.
174Directive2000/31/ECoftheEuropeanParliamentandoftheCouncilof8June2000oncertainlegalaspectsofinformationsocietyservices,inparticularelectroniccommerce,intheInternalMarket.
175Directive2000/31/EC,Article7.
176Directive2000/31/EC,Article7.
177Directive95/46/EC,Article4.
178Directive97/66/EC,Article12.
Proposalforanewdirectiveconcerningtheprocessingofpersonaldataandtheprotectionofprivacyintheelectroniccommunicationssector,Article13onunsolicitedcommercialcommunications.
179TheseconclusionsarebasedonthedecisionreachedbytheGermanDataProtectionAuthoritiesconcerningaspecificnetworkadvertiser.
TheInternationalWorkingGrouponDataProtectioninTelecommunicationsadoptedaCommonPositionwhichalsoreflectsthisdecision.
Seehttp://www.
datenschutz-berlin.
de/doc/int/iwgdpt/pr_en.
htm180Directive95/46/EC,Article10.
181Directive95/46/EC,Article6.
77-Usersmust,atalltimesandattheveryleast,begiventherighttoobjecttotheprocessingoftheirdata182.
Asaresult,datacollectedduringfutureuseoftheInternetmaynotbeusedtoenrichanexistingprofile.
Thisalsoappliesincaseswheretheprocessingissubjecttotheuser'spriorconsent.
-Thepersonalisationofprofilesmustbesubjecttotheinformedpriorconsentoftheindividuals.
Theymusthavetherighttowithdrawtheirconsentatanytimeandwithfutureeffect.
-Usersmust,atanytime,begiventheopportunitytoaccesstheirprofilesforinspection.
Theymustalsohavetherighttocorrectanderasethedatastored183.
Electronicmailing-Theenterprisecollectingane-mailaddressdirectlyfromauserwithaviewtoelectronicmailingperformedbythatenterpriseitselforbyathirdpartytowhichthee-mailaddresswillbedisclosed,hastoinformtheuserbyadequatetechnicalmeansofthosepurposesatthetimeofcollection184.
-AslongasMemberStatescanchoosebetweenimplementingopt-inoropt-out,enterprisessendingcommerciale-mailsmustensurebyadequatetechnicalmeansthatthosee-mailscanbeidentifiedassuchbytherecipient185.
-AslongasMemberStatescanchoosebetweenimplementingopt-inoropt-out,beforesendingcommerciale-mailstheenterprisemustconsultopt-outregisters,whereusersindicatethattheydonotwishtoreceivecommerciale-mails.
Theseentrieshavetoberespectedinallcases186.
Theexistenceofinternationalopt-outregisterswouldbeverybeneficial.
-Collectinge-mailaddressesfrompublicspacesontheInternetandusingthemforcommerciale-mailinggoesagainsttherelevantCommunitylegislation,i.
e.
thegeneraldirective187.
Firstly,thispracticeconstitutesunfairprocessingofpersonaldata188.
Secondly,itgoesagainstthepurposeprinciple,189aspersonspublishtheire-mailaddressforaspecificpurpose,e.
g.
toparticipateinanewsgroup,thispurposebeingquitedifferenttothatofcommerciale-mailing.
Thirdly,itcannotberegardedaspassingthebalanceofinteresttest190,inviewofthefactthattheaddresseesuffersintermsoftime,costandunreasonabledisruption.
-FiveMemberStates(Germany,Austria,Italy,FinlandandDenmark)haveadoptedmeasuresaimedatbanningunsolicitedcommercialcommunications.
IntheotherMemberStates,eitheranopt-outsystemexistsorthesituationisnotfullyclear.
Companiesinopt-outcountriesmaytargete-mailaddressesnotonlywithintheirowncountrybutaswelltoconsumersinMemberStateswithanopt-insystem.
Moreover,sincee-mailaddressesveryoftengivenoindicationofthecountryofresidenceoftherecipients,asystemofdivergentregimeswithintheinternalmarketdoesnotprovideacommonsolutionfortheprotectionofconsumer'sprivacy.
Opt-inisthusawell-balancedandefficientsolutioninordertoremoveobstaclestotheprovisionofcommercialcommunicationswhilstprotectingthefundamentalrightofprivacyofconsumers.
TheWorkingPartythuswelcomesandsupportstheproposal182Directive95/46/EC,Article14.
183Directive95/46/EC,Article12.
184Directive95/46/EC,Article10.
185Directive2000/31/EC,Article7.
186Directive2000/31/EC,Article7.
187SeeOpinion1/2000oncertaindataprotectionaspectsofelectroniccommercepresentedbytheInternetTaskForce(WP28).
188Directive95/46/EC,Article6(1)(a).
189Directive95/46/EC,Article6(1)(b).
190Directive95/46/EC,Article7(f).
78toaddressunsolicitedelectronicmailinthesamewayasautomaticcallingmachinesandfacsimilemachines.
Inallthesesituations,thesubscriberhasnohumaninterfaceandsupportspartsorthewholeofthecostsofthecommunication.
Thedegreeofinvasionintoprivacyandtheeconomicburdenarecomparable.
191191SeeOpinion7/2000ontheEuropeanCommissionProposalforaDirectiveoftheEuropeanParliamentandtheCouncilconcerningtheprocessingofpersonaldataandtheprotectionofprivacyinthetelecommunicationssectorof12July2000COM(2000)385,adoptedon2November2000,WP36.
79CHAPTER9:PRIVACY-ENHANCINGMEASURESI.
IntroductionTheECdataprotectiondirectivecontainstwoprincipleswhichhavedirectconsequencesforthedesignanduseofnewtechnologies:-its"finality"or"purpose"principlerequiresthatpersonaldataonlybeusedwherenecessaryforaspecificlegitimatepurpose;inotherwords,personaldatacannotbeusedwithoutlegitimatereasonandtheindividualremainsanonymous(Articles6(1)band7).
-its"datasecurity"principlerequiresthatcontrollersimplementsecuritymeasureswhichareappropriatetotherisksconfrontingpersonaldatainstorageortransmission,withaviewtoprotectingpersonaldataagainstaccidentalorunlawfuldestructionandagainstaccidentalloss,alteration,unauthoriseddisclosureoraccess,inparticularwheretheprocessinginvolvesthetransmissionofdataoveranetwork,andagainstallotherunlawfulformsofprocessing(Article17).
The"finality"or"purpose"principlementionedaboveistheunderlyingmotivefortheconceptofPrivacy-EnhancingTechnologies(PETs).
Thisconceptreferstoavarietyoftechnologiesthatsafeguardpersonalprivacy,notablybyminimisingoreliminatingthecollectionorfurtherprocessingofidentifiabledata192.
Privacy-EnhancingTechnologiesaimtohinderanyunlawfulformsofprocessingby,forinstance,makingittechnicallyimpossibleforunauthorisedpersonstoaccesspersonaldata,soastopreventthepossibledestruction,alterationordisclosureofthesedata.
Thepracticalimplementationofthisconceptrequiresorganisationalandtechnicalsolutions.
Thesetechnologiesareoftenbasedontheuseofaso-calledidentityprotector193.
Anidentityprotectormayberegardedasanelementofthesystemthatcontrolsthereleaseofanindividual'strueidentitytovariousprocesseswithintheinformationsystem.
Itseffectistocordonoffcertainareasofthesystem,whichdonotrequireaccesstotrueidentity.
Oneofthemostimportantfunctionsoftheidentityprotectoristoconvertauser'sactualidentityintoapseudo-identity,analternate(digital)identitythattheusermayadoptwhenusingthesystem.
Severaltechiquescanbeusedtointroduceanidentityprotectorintoaninformationsystem;amongothers,encryptiontechniquesinvolvingdigitalsignatures,blindsignatures,digitalpseudonymsandTrustedThirdParties.
II.
Privacy-enhancingtechnologiesThissectiondescribesandanalysesanumberofPrivacy-EnhancingTechnologies194.
CookieskillersTwokindsofresponsestosolcingtheprivacyproblemsofcookiesareanalysedbelow.
ThefirstoriginatedfromtheInternetindustryitselfandhasbeenincorporatedintothe192SeethereportbyHES,R.
andBORKING,J.
(editors),Privacy-enhancingtechnologies:thepathtoanonymity(revisededition),Registratiekamer,incooperationwiththeOntarioInformationandPrivacyCommissioner,AchtergrondstudiesenVerkenningen11,TheHague,November1998.
Availableatwww.
registratiekamer.
nl193SeethePETreportbytheRegistratiekamer(opcit.
)-particularlypage7andfollowing-formoredetails.
194SeealsotheEPIConlineguidetopracticalprivacytools,availableatwww.
epic.
org/privacy/tools.
html80mainbrowsersinthemarket.
Thesecondcamefromvariousprivacyactivistsorsoftwarehouses.
Itconsistsoftoolswhichmakeitpossiboetodeleteallorsomecookies.
ThecookieoppositionmechanismsusedbytheindustryTheonlyvisibleattempttosolvetheproblemofcookiesisthecookieoppositionmechanismusedincommonbrowserssinceversion3.
ItispossibleforanawareInternetusertoparameterisethebrowserbychoosingbetweenthreeoptions:–toaccepteverycookie–torefuseeverycookieorcookienotsentbacktotheoriginatingserver(Netscape)–tobeaskedonacase-by-casebasisCookieoppositionmechanismsremaininsufficientformanyreasons:1.
Normallythedefaultsettingisthemostprivacyinvasive(acceptingallcookies)andtheaverageInternetuserdoesnotknowthatthecookieiswidelyused,e.
g.
bycybermarketingcompaniestotrackkeywordstypedonsearchenginesusinginvisibleprocessingmeans.
2.
Thecookieblockingmechanisminhibitsthereceptionofnewcookiesbutdoesnotpreventthesystematicandinvisiblesendingofcookiesalreadyreceived.
3.
Cookiescanbeverydifferentinnature:somecookiesareusefulandnon-identifying(e.
g.
preferredlanguage).
Othersareidentifyingbutmaybeusedincompliancewithprivacyregulations.
Ingeneral,itcanbesaidthatsessioncookies195aremuchlessprivacyinvasivethanpersistentcookies.
RefusingallcookiesmightnotbeintheinterestoftheInternetuser.
4.
Severalwebsitesdenyaccesstousersthatdonotwishtoacceptcookies.
5.
Severalwebsites(orthewebsitesinvisiblyhyperlinked)sendtrainsofcookies,andacase-by-caseapproachwillobligetheInternetusertorefuseeachofthemoneaftertheother,causingwhathasbeencalled"clickfatigue",whichwillleadtheusertoacceptthecookieonceandforall,soasnottobedisturbedanymore.
6.
Insomecases,thewordingofthecookiewarning196seemsincompleteandmightbemisleading.
7.
Wheninstallinganewbrowser,thefirstsite(bydefaultthewebsiteofthebrowserproducer)tobevisitedcansendacookiebeforetheuserhashadtheopportunitytodeactivatethecookiefeature.
InJuly2000,MicrosoftannouncedthatitwasintroducingabetasecuritypatchforthenextversionofInternetExplorerthatwouldallowforthebettermanagementofwebcookies197.
Accordingtopreliminaryinformation,thepatchwillofferseveralfeaturesthatwillallowuserstocontrolcookiesmoreeffectively.
Thebrowserwillbeabletodifferentiatebetweenfirst-partyandthird-partycookiesandthedefaultsettingwillwarntheuserwhenapersistentthird-partycookieisbeingserved.
Inaddition,thenewfunctionalitywillallowInternetuserstodeleteallcookieswithasingleclickandwillmakeinformationaboutsecurityandprivacymoreeasilyaccessible.
Thesecuritypatchdoesnot,however,increaseconsumercontrolovertheuseoffirst-partycookiesprevalentoncommercialwebsites.
195CookieswithnofixeddurationwillnotbestoredontheharddiskbutonlyintheRAMmemory.
196InMSIE4.
OUK,thecookiewarningiswordedasfollows:"Inordertoprovideamorepersonalisedbrowsingexperience,willyouallowthiswebsitetoputinformationonyourcomputerIfyouclickYes,thewebsitewillsaveafileonyourcomputer.
IfyouclickNo,thecurrentwebpagemaynotdisplaycorrectly.
"TheInternetuserhasthentoclickonanewbuttontoknowthedomain(notthesender!
)ofthecookieanditsduration.
197EPICAlert7.
14,July27,2000.
81IndependentprogramsCookiewasher,cookiecutter,cookiemasterorcookiecruncheraresomeofthefreewareorsharewareprogramsthateveryInternetusercandownloadanduseontheNet198.
Similarremarkstothoseabovecanbemadehere:1.
TheInternetuserhastoprocesshis/herowncookiesfilesdailyonacase-by-casebasisbecauseofthedifferentnatureofthecookies.
2.
Inthecaseofsharewareprograms,theInternetusersometimeshastopaytoprotecthim/herself.
3.
Thecookieshandlingmechanismisnotalwaysuser-friendlyoreasytounderstandforanaverageInternetuser.
ProxyserversTheproxyserverisanintermediaryserverbetweentheInternetuserandtheNet.
Itactsasawebcache,dramaticallyimprovingtheperformanceoftheInternet.
ManylargeorganisationsorInternetAccessProvidershavealreadyimplementedthissolution.
Eachpage,imageorlogodownloadedfromoutsidebyanorganisation'smemberisstoredonacacheandwillbeinstantaneouslyavailabletoanothermemberofthisorganisation.
Inthiscaseitisnotnecessaryforeverymemberoftheorganisationlocatedbeforetheproxyservertohavehis/herownIPaddress,becausetheydonotdirectlyaccesstheInternet.
Furthermore,theproxyserverwillnotnormally199transmittheIPaddressoftheInternetusertothewebsiteandcanfilterthebrowserchattering.
DuetothefactthataproxyserverhandlestheHTTPprotocol,thecookiesstoredintheHTTPheadercanthereforebeeasilyremoved,changed,orstoredbytheproxyserver.
AnonymisationsoftwareAnonymisationsoftwareallowsuserstointeractanonymouslywhenvisitingwebsites,byfirstpassingthroughananonymisingwebsitethatdisguisestheiridentity200.
BystoppingatananonymisingwebsitebeforegoinganywhereelseontheInternet,theusercanallowpersonaldata,suchastheuser'sIPaddress,tobewithheldfromthereceivingwebsite.
Anonymisersitesalsoblocksystemdata(suchastheoperatingsystemandbrowserbeingused)frombeingsenttowebsites,blockcookiesfrombeingdepositedintobrowsersandblockJavaandJavaScript,whichcanaccesspersonaldatainbrowsers.
Theanonymiser201orthe"zeroknowledgesystem202aregoodexamplesofthese.
TheAnonymiserclaimsto:actasanintermediarybetweentheuserandthesiteshe/shevisits,concealingtheuser'sidentityfrominvasivetrackingmeasuresblockInternetprogramsembeddedinthewebpage(JavaandJavaScript)thatmaydamagetheuser'scomputerorgathersensitivepersonaldata.
198Someoftheseprogramscanbefoundonhttp://tucows.
belgium.
eu.
net/cookie95.
html.
199UnfortunatelysomeproxiesaddtheTCP-IPaddressofthePCtheyareworkingfortotheHTTPheader.
200Seethebook"NetWorth"(op.
cit),page273andfollowing.
201http://www.
anonymizer.
com/3.
0/index.
shtml202http://www.
zeroknowledge.
com82TheAnonymiserofferstwoservices,anonymoussurfingandanonymouse-mail,andoneproduct,theAnonymisingserver.
TheAnonymisingserverenablesanyonetocreatehis/herownanonymisingsite.
TheInternetusersometimeshastopaytotakefulladvantageofanonymousservices.
He/shealwayshastoconnecttotheAnonymiserwebsitetousetheanonymisingservices.
Itmeansthatthisserviceremainsveryvulnerabletosurveillancebyathirdparty.
TheAnonymisercanprovideanonymousservicessuchassurfing,mailingorfiletransfer.
Technicallyspeaking,theAnonymiseractsasaproxyserverandwillhideHTTPbrowserchatteringandtheIPaddressofthesurfer.
ThemainproblemwhileusingthisserviceisthattheInternetuserhastotrustaparticularcompany,andthatthiscompanywillbeawareofeverythingtheuserisdoingontheWeb.
Thezeroknowledgesystemproposessoftwarecalled"Freedom".
ThissolutionisbasedonatleastthreeTCP/IPrelayscombinedwithheavy(atleast128-bit)encryption.
BecausetheTCP/IPisusedbyeveryserviceontheNet,everyserviceistherebyencryptedandanonymised.
EachofthethreeTCP/IPintermediarystationsknowsonlytheTCPaddressofitspredecessor.
Theykeepnologbook,sothateventworelaysputtogetherareunabletotracebacktheinformationrequestedorretrieved.
Ofcourse,theroutingoftheinformationisdynamicandwillbelikelytochangeevenduringaverybriefcommunication.
AcookiemanagementsystemseemstobeintegratedintoFreedom.
Anotherexampleofthiskindofservicesisofferedbyprivada.
com.
Thiscompanyoffersservicesthatsupportallnetworktransactiontypes,includingbrowsing,email,messaging,andsoon,commerce.
Privada'sinfrastructureisbasedonasystemofcompartmentalisationandencryption.
TheuserreceivesaCD-ROMordownloadsaclientapplication,PrivadaControl,fromhisorherISP.
PrivadaControlcommunicateswithPrivadanetworkserversthatresideattheISP'spremisesandfunctionsastheuser'spersonalprivacyfirewall.
PrivadaControlaimsatprotectingalluserinformationanddatafromthepointoftransactionupthroughthenetwork—ensuringtheuser'sprivacyfromallparties,includingPrivadaandtheISP.
UsingPrivadaControl,theusercreatesaprivate,digitalaccountthatrepresentshisorheractivitiesonlinewhilecompletelydis-associatingallpersonaluserinformationfromonlineactivity.
PrivadaControlappearstoallowtheusertocreateordeletedigitalidentities,choosebetweenthemwhileinteractingon-line,andsetattributesandcharacteristicsaboutthemselves.
ThissystemdoesnotblockallJavaapplets,cookies,orActive-Xcontrolsbutallowstheusertodecidethelevelatwhichpersonalisationandwebservicesmayfunction.
CookiesareplacedoncentralisedserverswithinthePrivadaNetwork,notontheuser'spersonalcomputer.
Anylogfilesordataminingeffortsonthepartofawebsiteareassociatedwiththeuser'sonlineidentity—nothisrealidentity.
Privadaclaimsthatuserscaneasilyremoveanyorallcookiesthathavebeenset.
ThesystemproposedbyiPrivacyispresentedaspermittinganonymouse-commerce,fromsurfingtoshoppingtoshipping.
Itenablesconsumerstobrowseandsearchthenetprivately,purchaseonlineprivatelyandhavethemdeliveredwithoutrevealingtheidentityoftherecipient.
Accordingtothecompany,noteventhemwouldbeawareofthetrueidentityoftheconsumerswhousetheservices.
Asfarasatransactionisconcerned,83onlythecustomerandthecreditcarduserwouldknowanypersonalinformationaboutthepurchasemadeonline203.
E-mailfiltersandanonymouse-mail204Thesesystemshavebeenalreadydescribedinthee-mailchapter.
Thefollowingisasummaryoftheirmainfeatures.
-E-mailfilteringscreensauser'sincominge-mailandletsthroughonlythosee-mailsthathe/shehasindicatedthathe/shewouldliketoreceive.
Thesesystemsarelargelyusedtoscreenoutjunkmail.
-Anonymouse-mailallowsuserstooffertheire-mailaddresson-linewithouthavingtogiveawaytheiridentity205.
ThisserviceiscurrentlyavailablefreeofchargeontheInternetthroughacollectionofcompaniesproviding"remailer"services.
Withtheseservices,theremailerstripsoffauser'sidentityfordeliverede-mail.
InfomediariesAnindividualcanalsodecidetomakeuseofaso-calledinfomediary206.
Theinfomediaryhasbeendescribedasfollows:"Aninfomediary,orinformationintermediary,isatrustedpersonorweb-enabledorganisationthatspecialisesininformationandknowledgeservicesfor,about,andonbehalfofavirtualcommunity.
Theinfomediaryfacilitatesandstimulatesintelligentcommunicationandinteractionamongthemembersofthevirtualcommunity.
Itadministersandcultivatesaproprietaryknowledgeassetthatcontainscontentandhyperlinksthatareofspecificinteresttothecommunity.
Inaccordancewiththeprivacyconstraintsthataremandatedbythevirtualcommunity,theinfomediarygathers,organisesandselectivelyreleasesinformationaboutthecommunityanditsmembersinordertofulfilltheneedsofthevirtualcommunity…".
Theinfomediaryisanewkindofbusinessintermediarytohelpcustomerscapture,manageandmaximisethevalueoftheirpersonaldata207.
Consumershaveshownthattheyarewillingtoreleasepersonalinformationiftheycanprofitbydoingso,buttheyincreasinglyrecognisethattheyaresellingtheirprivacycheaplytocompaniesthatareusingittopromotetheirowninterests.
Thereturnsoftheinformationtheydivulgeare,insimpleterms,unsatisfactory208.
Infomediariescouldhelpconsumerstostrikethebestbargainwiththevendors,byaggregatingtheirinformationwiththatofothercustomersandusingtheircombinedmarketpowertonegotiatewithvendorsontheirbehalf.
Theyactascustodians,agentsandbrokersofcustomerinformation,marketingittobusinesses(andgivingthemaccesstoit)ontheconsumer'sbehalfwhileatthesametimeprotectingtheirpersonaldataagainstabuse.
Thepositiveaspectofaninfomediaryisthat,inmanycases,itcanpurchasethedesiredgoodsorservicesanddeliverthemtothefinalconsumerwhileleavinghim/hercloaked203http://www.
iprivacy.
com204Seethebook"NetWorth"(op.
cit),page275andfollowing.
205ThispaperalsoreferstothiskindofserviceinChapter6(publicationsandfora),initssectiononprivacy-enhancingmeasures.
206http://www.
fourthwavegroup.
com/Publicx/1635w.
htm207Oneofthemostcompletestudiesaboutthisnewbodyisthebook"NetWorth:theemergingroleoftheinfomediaryintheraceforcustomerinformation";HAGELIII,J.
andSINGER,M.
,HarvardBusinessSchoolPress.
208HAGELIII,J.
andSINGER,M,op.
cit.
84inanonymity.
Theinfomediarycompanycanalsoprovideintelligentagentstohelpsubscribersaccomplishtheirtask.
InfomediaryclientswilltheoreticallyhavetheoptionofremainingforeveranonymouswhiletheybrowsetheWebandmakepurchaseson-line.
However,theywillbeencouragednottodosobecausetheywillbepaidasmallfeebyvendorseverytimetheydivulgewhotheyareorwhattheire-mailaddressis.
Thisfeemaytaketheformofamonetarypayment,oradiscountinthepriceoftheproductsold.
Clientswillalsoreceivecashpaymentsinreturnforprovidingselectedvendorswithaccesstotheirinformationprofiles.
Theamountofthecashpaymentwilldependontheprivacypreferencesofindividualclients.
Clientswhochoosetoremaintotallyanonymouswillforgocashpaymentsinreturnforassurancesabouttheirprivacy.
Clientswhoarecomfortablewiththecontrolsimposedbytheinfomediaryonaccesstotheirinformationandwhoseethevalueofselectivedisclosuretovendors,couldgeneratecashpaymentsforthemselves.
Inconclusion,itcanbesaidthatwhileaninfomediarycanplayapositiveroleinprotectingthepersonaldataofuserswithwhomtheyhaveatrust-basedrelationship,thebasisofthisbusinessisthepossibilityofmakingprofitsbydivulgingorgivingaccesstocustomers'personaldata.
Dependingonthecircumstancesandthenatureoftheinfomediary,itcanbebothprivacy-enhancingandprivacy-invasive.
III.
Otherprivacy-enhancingmeasuresOthertechniquescanalsobeusedtoimprovethetransparencyofprocessingorfacilitatetheexerciseofdatasubjects'rights.
Examplesinclude.
P3PP3PstandsforPlatformforPrivacyPreferences209.
TheobjectiveofP3Pistoallowwebsitestoexpresstheirprivacypreferencesanduserstoexercisetheirpreferencesoverthesepractices,sothatuserscantakeinformeddecisionsabouttheirwebexperiencesandcontroltheuseoftheirinformation.
ThewholedataprotectioncommunityhasfollowedthedevelopmentofP3Pwithgreatinterest.
InApril1998,theInternationalWorkingGrouponDataProtectioninTelecommunicationsissuedacommonpositionontheEssentialsforprivacy-enhancingtechnologies(e.
g.
P3P)ontheWorldWideWeb210.
ThispapersetsouttheessentialconditionstobemetbyanytechnicalplatformforprivacyprotectionontheWorldWideWeb,withtheobjectiveofavoidingthesystematiccollectionofpersonaldata:1.
Technologycannotinitselfsecureprivacyontheweb.
Itneedstobeappliedaccordingtoaregulatoryframework.
2.
Anyusershouldhavetheoptiontobrowsethewebanonymously.
Thisalsoappliestothedownloadingofinformationinthepublicdomain.
3.
Beforepersonaldata,particularlythosedisclosedbytheuser,areprocessedbyawebsiteprovider,theuser'sinformedconsentmustbeobtained.
Inaddition,certainnon-waivablegroundrulesshouldbebuiltintothedefaultconfigurationofthetechnicalplatform.
209ThelastworkingdraftoftheP3PprotocolcanbefoundontheW3Cwebsiteathttp://www.
w3.
org/TR/1999/WD-P3P210Thistextisavailableat:http://www.
datenschutz-berlin.
de/doc/int/iwgdpt/priv_en.
htm85Twomonthslater,inJune1998,theWorkingPartyalsoissuedanopinion211.
ThisopinionstressedthefactthatatechnicalplatformforprivacyprotectionwillnotinitselfbesufficienttoprotectprivacyontheWeb.
Itmustbeappliedwithinthecontextofaframeworkofenforceabledataprotectionrulesprovidingaminimumandnon-negotiablelevelofprivacyprotectionforallindividuals.
ThisopinionalsomentionedanumberofspecificissuesthatwouldberaisedbytheimplementationofsuchasystemwithintheEuropeanUnion.
InordertoinvestigatetheapplicationofP3PinthecontextoftheEuropeandataprotectiondirectiveandtofostercommunicationbetweentheEUdataprotectioncommunityandsoftwaredevelopers,ajoint-seminarwasorganisedinSeptember1999.
Ahigh-leveldelegationfromtheWorldWideWebConsortiumandmembersoftheInternetTaskForceparticipatedinthisseminar.
Thisseminarshowedthatagoodnumberofissuesstillneededtobeaddressed.
Oncetheseissuesareresolved,P3Pcouldplayapositiveroleifappliedwithinanadequateframework.
ThemainpositiveaspectsofP3Parethefollowing212:-P3Pcanhelpstandardiseprivacynotices.
Whilethisinitselfdoesnotofferprivacyprotection,itcould,ifimplemented,greatlyadvancetransparencyandbeusedtosupporteffortstoimproveprivacyprotection.
-P3Pcansupportthegrowthofprivacychoices,includinganonymityandpseudonimity.
Thelimitations213ofP3Pshould,however,betakenintoaccount:-P3Pcannotprotecttheprivacyofusersincountrieswithinsufficientprivacylaws:itdoesnothavetheabilitytocreatepublicpolicy,norcanitdemandthatitsspecificationsbefollowedinthemarketplace.
-P3Pcannotensurethatcompaniesfollowprivacypolicies.
Infact,P3Pcannotguaranteethatthesiteisdoingwhatitclaimstodo.
Thesanctionsforfailuretocomplywithadeclarationofintentcanonlybesetbylaworthroughmembershipofaself-regulatorybody.
ThelabellingofprivacyThelabellingconsistsofaqualitystampputonawebsite.
Overtheyears,variousprivacylabelshaveappeared,withTRUSTe214,Privaseek215,theBetterBusinessBureau216,WebTrust217beingexamplesofsuchlabellingsystems.
TheseAmericanorganisationsaimatoperatingatinternationallevel,alsoinEurope,whatisalreadythecaseforsomeofthem.
Atthesametime,similarinitiativeswithinternationalpurposesaretakeninEurope,suchasforinstanceL@belsiteinFrance.
Aprivacylabelisgrantedtocompaniesthatfulfillanumberofrequirementsspecifiedbythelabellingorganisation.
Thisorganisationcanexercisesomekindofcontrolover211Opinion1/98onPlatformforPrivacyPreferences(P3P)andOpenProfilingStandard(OPS),adoptedon16June1998,WP11,XVD/5032/98.
212SeetheArticlebyCAVOUKIAN,A.
andGURSKI,M.
(InformationandPrivacyCommissionerOntario)andMULLIGAN,D.
andSCHWARTZ,A.
(CenterforDemocracyTechnology),P3Pandprivacy:anupdateforthePrivacyCommunity,availableat:wysiwyg://16/http://www.
cdt.
org/privacy/pet/p3pprivacy.
213Seethepreviousfootnote.
214http://www.
truste.
org215http://www.
privaseek.
com216http://www.
bbbonline.
org/businesses/privacy/index.
html217http://www.
cpawebtrust.
org/consumer/index.
html86compliancewiththeprivacypoliciespublishedbycompaniesholdingtheirlabelbycarryingoutperiodicalchecksontheactivitiesofthesecompanies.
Insomecases,thelabellingorganisationalsodealswithcomplaintsfiledbydatasubjectsconcerningcompanieswiththislabelontheirwebsites.
Thelabellingofprivacyraisesanumberofissues:1.
Thefirstconcernsthelabelcontent.
Therightofinformation,access,thedataminimisationprinciple,therightofopposition,theprincipleoflegitimacyandproportionality,andtheobligationtonotifythenationaldataprotectionauthorityaresomeofthecornerstonesoftheEuropeandataprotectionprinciples.
ThemainsocialriskwouldbethewidespreaddisseminationofprivacylabelsthroughoutEurope,whichcouldbemisleadingforusersanddatacontrollers.
Althoughtheymaygivethisimpression,notalllabelsseriouslyguaranteecompliancewiththeaforementioneddataprotectionprinciples.
2.
Thesecondproblemliesinthecontrolofwebsiteprivacypractices.
Manykindsofcontrolcanbeenvisaged.
Someofthemajorconcernsregardingthisissueare:-Whohasthecontrol,how,withwhatsortofmandatefromthecontrolledcompanyIntheworsecase,itappearsthatthecontrollerwillprimarilybethedatasubjecthim/herself,withalltheproblemsthisentailsinidentifyingfailurestoobservepostedprivacypractices,provingtheseandreportingthemtothelabelcontroller.
Besides,notalllabellingbodiescanensurethatcompaniesdoastheirpoliciessaytheywill;-WhowillpayGiventhatlabellingisaprivateinitiativewhichdoesnotoftenbenefitfromgovernmentfinancialsupport,somelabellingbodieswillbeunderpressurefromthecompaniestheyaresupposedtocontrol.
-What,ifany,sanctionswillbeappliedThepossibleprivacy-enhancingeffectsofprivacylabelsshouldnot,however,beunderestimated,astheycanhelpraisetheawarenessofInternetusersaboutprivacy.
Someproposalscanbemadetoaddresstheabovementionedproblems:1.
Thelabelcontent:InordertoguaranteethatprivacylabelsareinlinewithEuropeandataprotectionlegislation,aEuropeanstandardforprivacylabelscouldbeagreedonbytheWorkingParty.
Thisstandardshouldspecifytherequirementsalabelshouldfulfill218.
DifferentlabelscouldcoexistaslongasitiscleartoInternetuserswhichlabelsmeetEuropeanstandards.
2.
Thecontrolofwebsiteprivacypractices:Thereliabilityofwebsiteprivacypracticescouldbesubstantiallyimprovedbyobligingwebsiteswiththequalitystamptoundergoperiodicalaudits.
TheEuropeanstandardforprivacylabelscouldincludethisrequirementanddeterminepossiblewaysofcarryingoutsuchcompulsorycontrols:self-auditingusingastandardchecklist,thirdpartyaudit,etc.
IV.
ConclusionsRecommendationsshouldbeissuedtoproduceprivacy-compliantbrowserswiththemostprivacy-friendlydefaultsettings;anonymousproxyserverscanhidetheIPaddressandcouldbeofferedasafreestandardfeaturewithanInternetsubscriptionbyeveryISP;218SomeveryinterestingworkinthisfieldhasbeendonebytheFrenchDataProtectionAuthority(CNIL).
ThisworkcouldserveasinspirationfortheEuropeanstandard.
Seewww.
cnil.
fr87websitesshouldnotdenyaccesstouserswhodonotwanttoacceptcookies,unlessthosesessioncookiesareindispensableinordertomakethelinkbetweenauserandhis/herdifferentpurchasesonline,thusprovidingforadequatebilling;theuseofPETSshouldbeencouraged,especiallyifinstalledbyISPsorotheractorsitappearsthatindividualsneedtobegivenmoreinformationabouttheexistenceofprivacy-enhancingtechnologies.
Thepublicsectorshouldtakethenecessarystepstoraiseawarenessandsupportthedevelopmentofthesesolutions,inadditiontousingandpromotingthem219.
AEuropeanstandardforprivacylabelscouldbeagreeduponbytheWorkingParty.
Thisstandardshouldincludetheobligationforwebsitestoundergoperiodicalaudits.
219IntheNetherlands,amotionwasapprovedduringtheParliamentarydiscussionofthenewdataprotectionlawintheSecondChamberinwhichtheGovernmentwasrequestedtoencouragethedevelopmentanduseofPET,andtoencouragethepublicsectortotaketheinitiativeasapromotorofPETinitsownprocessingofpersonaldata.
Motionnumber31byNICOLAC.
S.
,presentedon18November1999regardingBill25892(Regelsinzakedebeschermingvanpersoonsgegevens,Wetbeschermingpersoonsgegevens),TheHague,TweedeKamer,vergaderjaar1999–2000,25892,nr.
31.
88CHAPTER10:CONCLUSIONSThisdocumenthasdealtwithanumberoftopicspresentedinseparatedchapters;eachoneofthemincludesconclusiveremarksaboutspecificissues.
ThereareneverthelesscommonissuesrelatedtoallInternetservicesdescribedinthisdocument,thatdeservebeingdealtwithinmoregeneralterms.
AfterasummaryofthetrendsandprivacyrisksobservedthroughallthedifferentaspectsoftheInternetuse,itisattemptedtoprovidesomeguidelinesandrecommendations,consideringactionsthatcouldbetakenatvariouslevels.
1.
TrendsandrisksThedevelopmentoftheInternetisexponential.
AgrowingamountofservicesisavailabletotheInternetuser,fromshoppingonlinetoparticipatinginforawithpeopleallaroundtheworld.
Duetothiscomplexity,itbecomesmoreandmoredifficulttohaveanadequateoverviewofallpossibilitiesofferedtotheuser.
Companieslookforawaytoattracttheuseranddistinguishthemselvesfromothersbyofferingpersonalisedand/orfreeservices.
Personalisationoftheservicesisdependentuponutilisationofpersonaldataoftheusers,whichcompaniestrytoobtainusingdifferentsources,suchasencouragingtheprovisionofsuchdatabytheusersthemselvesintheframeworkofloyaltyprograms,freegiftsorservices,collectionfrompublicavailablesources,etc.
Theprofilesconstitutedarenotonlyvaluableforthecompanieswhowanttotargetaconsumer,buthaveaneconomicvalueinthemselvesastheyareoftensoldorhiredtoothers.
ThedevelopmentofnewtechnologiesmakesiteasiertodaytofollowanInternetuser.
Forinstance,whenaconsumerusesamobilephonetoconnecthim/herselftotheInternet,dataindicatinghis/herlocationcanbegenerated.
WhentheusermakesanInternetconnectionthroughnewmeanssuchasADSLorcable,he/sheisassignedastaticIPaddressthatfacilitatesthetrackingfromsessiontosession.
Newgenerationsofsoftwareandhardwareoffernewfeaturesincreasingthecapabilitytomonitortheuser'sactivitiesinrealtime,oftenwithouthis/herknowledge.
NumerousexamplesofinvisibleprocessingandE.
T.
softwarehavebeengivenallthroughthisdocument.
Inthiscontext,itbecomesdifficultfortheaverageusertoremainanonymouswhilebeingontheInternet.
ThecombinationofthesedevelopingcapabilitiesbringswithitnewrisksfortheprivacyoftheInternetuser,especiallywhendataareconcentratedinthehandsofoneoralimitednumberofcontrollers.
Whenthesecontrollersmakeuseofdataminingtechnologiesforexample,theyhavethetechnicalpossibilitynotonlyofprocessingandreorganisingthedatabutalsotouncovernewlinksandcharacteristicsrelatedtothedatasubject,whoisusuallynotawareofthispossibilityanddoesnotexpectsuchaprocessing.
Suchrisksalsoarisefromthefactthatsomedataarepreservedonlineforaverylongperiodoftime;forinstancethemessagespostedtonewsgroupsandmailinglistsareoftenkeptseveralyearsandcanbeconsultedusingreversesearchtools.
Suchavailabilityofpersonaldataenablesunexpectedsecondaryuseofthosedata,whichisoftenincompatiblewiththepurposeforwhichthedatawhereoriginallycollected.
892.
Guidelinesandrecommendations2.
1.
RaisingtheawarenessoftheInternetuserGiventheincreasingrisksfortheprivacyoftheInternetuser,asdescribedabove,itisespeciallyrelevanttoensurethatadequatemeansareputintoplaceinordertoensurethattheusergetsalltheinformationhe/sheneedstomakeaninformedchoice.
Severalactorshavearoletoplayintheprovisionofthisinformationtotheuser.
Inthefirstplace,anycontrollercollectingpersonaldataonlinehastogiveallnecessaryinformationtothedatasubject.
Thisinformation,mentionedinarticle10ofDirective95/46/EC,shallbegiveninallcasesattheoccasionofthecollectionofdata.
Althoughhavingaprivacypolicypostedonthewebsiteisagoodwayofprovidinggeneralinformationtothepublic,itisnecessarytoprovideinformationtothedatasubjectfromwhichthedataarebeingcollected,inasimpleandaccessiblewayeachtimethatdataarecollected,e.
g.
inthesamescreenwherehe/shehastofillinhis/herdataorthroughaboxprompt.
Wherethedatacontrollerisaprivatecompany,thecompliancewiththeserulesisnotonlyimportantinlegalterms,butalsooutofcommercialselfinterest,asthetrustandconfidenceofindividualswillincreaseandmighthaveanimpactintheinvolvementoftheindividualwiththecompany.
Asregardsthedevelopmentofe-commerceforinstance,itisbeingobservedthatusersarereluctanttoengageinelectronictransactionsiftheyfearthattheirpersonaldatawillnotbecorrectlyprotectedandsecured.
Wherethecontrollerisapublicauthority,thecompliancewiththedataprotectionrulesisakeyelementasthebehaviourofsuchauthorityshouldbeanexampleforthepublicingeneral.
Forinstance,publicauthoritiesimplementinge-governmentactivitiesshouldbuildinprivacyasoneofthecornerstonesofthesystemofexchangeofdata.
Besides,evenwhentheydonotplayaroleofdatacontroller,theresponsibilityoftheseauthoritiesliesinthefieldofgeneraleducationandinformationofthepublic.
Inparticular,dataprotectionauthoritiesareentrustedwiththetaskofraisingawareness,abouttheriskslinkedwiththeuseoftheInternetbutalsoabouttherightsandobligationsforeseenbythelegislation.
Thiscanbedoneinseveralways,suchaspublicationofbrochures,reports,pressreleases,practicalrecommendationsincludedinthenotificationsforms,organisationorparticipationinconferencesorseminarsintheseissues,directedtothedifferentactorsandsectorsofthesociety.
Privacyassociationandadvocateshavetraditionallybeenperformingsuchpublicawarenessactivities,inawaythathassometimesledtosignificantimprovementsasregardstheprivacycomplianceofInternetproducts.
InseveralcountriesoftheEuropeanUnion,ithasbeenobservedthatconsumersassociationsarealsoincreasinglygettinginvolvedandinterestedintheprivacyaspectsofconsumersactivities.
Suchrolecanbeparticularlypositiveasitdoesnotlimititselftotheprovisionofinformationbutalsoextendstotherepresentationofconsumersintheirrelationwithcompaniesorpublicauthorities.
Suchassociationscane.
g.
monitorthecomplianceofISPswiththelaws,orinformpublicauthoritiesaboutthecomplaintstheyreceiveaboutaspecificwebsiteorInternetcompany.
Professionalassociationscanalsohaveapositiveinfluence,informingnewactorsabouttheirlegalobligations.
90Allabove-mentionedpartiesplayasignificantroleingivingtheconsumertheinformationnecessaryinordertoallowhimtomakearesponsiblechoice.
Itisthenuptotheindividualtomakeuseofthemeansthatareavailabletohim/hertoensuretherespectofhis/herrights,andpossiblytomakeclearthathe/shewillnotacceptservicesorproductsthatarenotincompliancewiththeexistinglegalframework.
2.
2.
Applyingexistinglegislationinacoherentandco-ordinatedwayOn-linedataprotectioncanonlybesufficientlyguaranteediftheexistentlegalframeworkiscompliedwith.
Consideringtheinternationalcharacterofthenetwork,itisessentialthatdatacontrollerscanrelyonacoherentandco-ordinatedinterpretationandapplicationoftheEuropeandataprotectionrules.
ThisisnotonlyimportantfordatasubjectsandcontrollersinsidetheEUbutalsoforthoseoutsidetheUnionthatalsohavetotakethislegalframeworkintoconsideration,inparticularwhentheycollectpersonaldatausingmeanslocatedinsidetheUnion.
TheWorkingPartyhasanimportantroletoplayinthiscontext.
TheWorkingPartyhasatseveraloccasionsidentifiedsomelacunaeorcontroversialissuesintheexistinglegislationandissueddocumentsprovidingforcommoninterpretationandpossiblesolutions.
SpecialattentionhasbeenpaidtotherevisionoftheDirective97/66/EC,whichhasbroughtwithitsomesignificantimprovementsintheterminologyused.
AlthoughtheWorkingPartywelcomesthefactthatnewissueshavebeentakenintoaccountinthedraftDirective,someproposalshavebeenmadeonspecificpointsthatcouldstillbebetteraddressed.
TheWorkingPartyisconcernedaboutthefactthatamendmentsofexistinglegislationwillsometimestendtostricterlegalrequirementsasregardsinparticularthepossibilitiesofsurveillanceonthewebandthegeneralisationofidentificationrequirementsofusers.
TheWorkingPartyhasrecalledthat,althoughotherlegitimateinterestscouldbeatstake,abalanceshouldalwaysbestrokebetweenthemandtheprotectionofthepersonaldataoftheindividual.
Itshouldbeemphasisedthatinterpretationandapplicationofthelegislationisnotonlythetaskofpublicauthoritiesbutthattheprivatesectorcanprovidefruitfulcontributionbyinvestinginthedevelopmentofselfregulationorcodesofconductaddressingmorespecificissuesraisedinaparticularsector.
2.
3.
Developingandusingprivacycompliant,privacyfriendlyandprivacyenhancingtechnologiesAsalreadystated,theprocessingofpersonaldataontheInternetverymuchdependsonthetechnicalconfigurationofthehardwareandsoftwareaswellasontheprotocolsandtechnicalstandardsusedforthetransmissionofinformation.
Itisthereforeespeciallyimportanttotakeintoaccountprivacyrequirementsattheearlieststageofdevelopingallthesetools;e.
g.
abrowsershouldnottransmitmoreinformationthannecessarytoestablishaconnectiontoawebsite.
ThoseinvolvedinthedesignanddevelopmentofthesetechnicaltoolsareencouragedtoconsultthenationalDataProtectionAuthoritiesabouttheexistingdataprotectionlegalrequirements.
Moreover,inordertomakecleartothegeneralpublicwhichproductsareprivacy-compliant,itwouldbeusefultoputinplaceasystemofcertificationmarksthatwould91allowaneasyrecognitionofthoseproductsthatcomplywiththedataprotectionrequirements.
Moreover,whilenewtechnologiesaretraditionallyconsideredasathreattoprivacy,itshouldbestressedthattheyalsorepresentausefultoolintermsofsafeguardingprivacy.
Someoftheexistingtechnologiescanfirstbeusedinordertoimprovethetransparencyandthefriendlinessoftheinformationprovidedtothedatasubject,e.
g.
bygivinguserssimpleandaccessibleinformationatthemomentofcollectionofpersonaldata.
Theycansecondlybeausefultoolinordertosimplifytheexerciseoftherightsofthedatasubjects,e.
g.
allowingadirectaccesson-linetothepersonaldataoftheindividualorgivingthepossibilitytoopposetheprocessing.
TakingintoaccountthattheaverageuserisnotnecessarilyfamiliarwiththetechnicalaspectsofusingtheInternet,andisnotalwaysinthesituationofdecidinghimselfonorevenchangingtheconfigurationofthehardwareandsoftwareused,itiscrucialthatthedefaultsettingsoftheproductsofferthehighestlevelofprivacyprotection.
Anumberofadditionaltools,betterknownas"privacyenhancingtechnologies",hasbeendevelopedinordertohelpuserssafeguardingtheirprivacy,notablybyminimisingoreliminatingthecollectionorfurtherprocessingofidentifiabledataandtechnicallyhinderinganyunlawfulformsofprocessing.
Examplesofsuchtoolsareproxyservers,cookiekillers,anonymisationsoftware,pseudonymisationtools(inparticularvaluableforprofiling),e-mailfilters,etc.
Possiblenewproductsmightincludesmartcardscontainingaportableidentityprotector(PIP)whichtheindividualwillbeabletoinsertinanymachinefromwhichhe/sheestablishesanon-lineconnection.
Fromalltheactorsalreadymentionedinparagraph2.
1.
,theindustryandthepublicsectorarethefirstonesthatshouldinvestandencouragethedevelopmentandimplementationofprivacyprotectivetechnologies.
Theusershouldbemadeawareoftheexistenceofthesemeans,whichshouldbeavailablewithoutinvolvingunreasonablecosts.
2.
4.
BuildingtrustedmechanismsforcontrolandfeedbackOn-linedataprotectioncanonlybeeffectiveifadequatemeansareinplacetomonitorandevaluatethecompliancewiththelegalframeworkandtechnicalrequirementsexplainedabove.
Forthatpurpose,evenifdataprotectionauthoritiesareinchargeofthecontrolofenforcementinthefirstplace,otheractorsaretakingstepsinthedirectionofselfmonitoring,astheyhaverealisedtheimpactoftheirprivacypolicyonthebehaviouroftheconsumerstowardsthem.
Dataprotectionauthoritiescancontributetothedevelopmentandwellfunctioningofsuchselfmonitoringsystemsbyprovidingguidance,e.
g.
intheformofchecklistsforselfevaluationagreedatEuropeanlevel.
Furthermore,labelscouldbegrantedwithaviewofhelpingtheconsumergettingatrustworthyindicationofthecomplianceofadataprocessingwithEUDataprotectionlegislation.
TheWorkingPartyintendstotakeactioninthisfieldinordertoensureinparticularthatprivacylabelsaregrantedtowebsiteswhichareinlinewithEuropeandataprotectionlegislation.
92TheWorkingPartyinvitesallactorsinvolvedinInternetactivitiestoconsiderthisworkingdocumentandtotakethenecessarystepstoputitsrecommendationsintopractice.
TheWorkingPartyhopesthatthisworkingdocumentwillcontributeraisingtheawarenessandwillpromotepublicdebateonthisissue,whichwillcertainlyrequirefurtheranalysisandfollowupinthefuture.
93GLOSSARYOFTECHNICALTERMS220ADSLADSL(AsynchronousDigitalSubscriberLine)isatelecommunicationprotocolthatcanbeusedonclassicalcoppertwistedpeerlines.
Itpermitstoreachspeeduptoonembpswhilethelineremainssimultaneouslyfreeforclassicalphoneconversation.
ADSLrequiresdedicatedADSLmodemstobeputatbothendsofthelocalline.
AuthenticationVerifyingtheidentityofauserloggingontoacomputersystemorverifyingtheintegrityofatransmittedmessage.
BannerBanneradvertisementsaresmallgraphicboxeswhichappearaboveorareintegratedintothewebsitecontent.
CallingLineIdentification(CLI)Whenacallismade,thisenablesthecalledusertoidentifythecallinguserbypresentingthenumberofthecallingline.
ClickstreamsInformationderivedfromanindividual'sbehaviour,pathway,orchoicesexpressedwhilevisitingawebsite.
Theycontainthelinksthatauserhasfollowedandareloggedonthewebserver(theISPcomputerforthosewhodonotruntheirwebserver).
CookiesCookiesarepiecesofdatacreatedbyawebserverthatcanbestoredintextfilesthatmaybeputontheInternetuser'sharddisk,whileacopymaybekeptbythewebsite.
TheyareastandardpartofHTTPtraffic,andcanassuchbetransportedunobstructedwiththeIP-traffic.
Acookiecancontainauniquenumber(GUI,GlobalUniqueIdentifier)whichallowsbetterpersonalisationthandynamicIP-adresses.
Itprovidesawayforthewebsitetokeeptrackofauser'spatternsandpreferences.
ThecookiescontainarangeofURLs(addresses)forwhichtheyarevalid.
WhenthebrowserencountersthoseURLsagain,itsendsthosespecificcookiestotheWebserver.
Cookiescandifferinnature:theycanbepersistentbutcanalsohavealimitedduration,theso-calledsessioncookies.
Youcanhaveyourbrowserdisablecookiesorwarnyoubeforeacceptingacookie.
DataintegrityTheprocessofpreventingaccidentalerasureoradulterationinadatabase.
Datamining220Someofthesedefinitionshavebeentakenfromthefollowingsources:-http://www.
techweb.
com/encyclopedia-http://webopedia.
Internet.
com-PersonalDataPrivacyandtheInternet:aguidefordatausers,OfficeofthePrivacyCommissionerforPersonalData,HongKong,1998.
94Thisimplies"diggingthroughtonsofdata"touncoverpatternsandrelationshipscontainedwithinthebusinessactivityandhistory.
Thisisusuallydonewithprogramsthatanalysethedataautomatically.
DatawarehouseAdatabasedesignedtosupportdecision-makinginanorganisation.
Itcancontainenormousamountsofdata.
Forexample,largeretailorganisationscanhave100GBormoreoftransactionhistory.
Whenthedatabaseisorganisedforonedepartmentorfunction,itisoftencalledadatamartratherthanadatawarehouse.
DigitalcertificateAdigitalcertificateisanelectronicdocumentwhichcontainstwogroupsofinformationandwhichisintendedasproofofidentityintheelectronicworld.
Thefirstisthecertificateinformationitself,includingthenameorapseudonymofthenaturalorlegalpersonrequestingthecertificate,itspublickey,thecertificate'svaliditydatesandthenameoftheCertificationAuthority(CA).
ThesecondpieceistheCertificationAuthority'sdigitalsignature.
TheentiremessageisdigitallysignedbyaCertificationAuthoritywhichistrustedbymanyservers(CAsareaspecifickindofTrustedThirdParties)andcanverifytherelationshipbetweenanaturalorlegalpersonanditspublickey.
DigitalsignatureAdigitalsignatureisadatastringthatisaddedtoamessageandguaranteesitsintegritybyencryptingit(oramessagedigest)withthesignatory'sprivatekey.
Anybodywhoreceivesthesignedmessagecancheckifithasbeenmodifiedsimplybydecryptingthesignaturewiththesender'spublickeyandcomparingthedecryptedstringwiththeoriginalmessageordigest.
DomainNameService(DNS)TheDNS(DomainNameService)isamechanismforassigningnamestocomputersidentifiedbyaIPaddress.
Thosenamesareintheformof.
topleveldomainwhereisastringconstitutedbyoneormanysubstringsseparatedbyadot.
DynamicHostConfigurationProtocol(DHCP)TheDynamicHostConfigurationProtocol(DHCP)isanInternetprotocolforautomatingtheconfigurationofcomputersthatuseTCP/IP.
DHCPcanbeusedtoautomaticallyallocateIPaddresses.
(http://www.
dhcp.
org)ElectronicsignatureDatainelectronicformthatareattachedtoorlogicallyassociatedwithotherelectronicdataandwhichserveasmethodofauthentication(Article2.
1oftheElectronicsignaturedirective).
EncryptionEncodinginformationandmessagesinsuchawaythattheycannot,inprinciple,bereadbysomeoneotherthantheintendedrecipientwhohasaccesstoakeyorpassword.
Therearetwomainkindsofencryptionsystems.
95-TheSymmetricorPrivateKeysystem,whichusesasecretkeysharedbetweenboththesenderandthereceiverofamessage,itsmainadvantagebeingthespeedofprocessinganditsmaindrawbackthedifficultyofseccurelysharingkeysamongagreatnumberofusers.
-TheAsymmetricorPublicKeySystem,whichusesapairofkeys,generatedsothatevenknowingoneofthem,isalmostimpossibletoguesstheother.
Messagesencryptedusingoneofthekeysaredecryptedusingtheother.
Oneofthekeysismadepublicandusedtoencryptthemessageswhicheveryuserdecryptswithhisorhersecretprivatekey.
ThePrivateKeyisalsousedtosignmessagesdigitally.
FirewallAmethodforkeepinganetworksecure.
Itcanbeimplementedinasinglerouterthatfiltersoutunwantedpackets,oritmayuseacombinationoftechnologiesinroutersandhosts.
FirewallsarewidelyusedtogiveuserssecureaccesstotheInternetaswellastoseparateacompany'spublicwebserverfromitsinternalnetwork.
Theyarealsousedtokeepinternalnetworksegmentssecure.
Forexample,aresearchoraccountingsubnetmightbevulnerabletosnoopingfromwithin.
HyperlinksApre-definedlinkbetweenoneobjectandanother.
Thelinkisdisplayedeitherastextorasanicon.
OnWorldWideWebpages,atexthyperlinkisdisplayedasunderlinedtextusuallyinblue,whileagraphicshyperlinkisasmallgraphicalimage.
InternetServiceProvider(ISP)AcompanythatprovidesaccessandconnectionstotheInternettomembersofthepublicandcompanies.
SmallInternetServiceProviders(ISPs)providetheserviceviamodemsandISDNwhilethelargeronesalsoofferprivatelinehookups.
Customersaregenerallybilledafixedratepermonth,butotherchargesmayapply.
Forafee,awebsitecanbecreatedandmaintainedontheISP'sserver,allowingasmallerorganisationtohaveapresenceontheWebwithitsowndomainname.
LargeInternetservicesalsoprovideproprietarydatabases,forumsandservicesinadditiontoInternetaccess.
Inthisreport,thetermISPgenerallyincludesIAPs.
ThetermIAPisonlyusedwhenitisclearthatitdealsonlywithInternetaccess;inallothercasesthegenerictermISPisused.
JavaandJavaScriptJavaisafull-blownprogramminglanguageandisnotintendedforthecasualprogrammerandcertainlynottheenduser.
JavaScriptisascriptinglanguagethatusesasimilarsyntaxasJava,butitisnotcompiledintobytecode.
ItremainsinsourcecodeembeddedwithinanHTMLdocumentandmustbetranslatedonelineattimeintomachinecodebytheJavaScriptinterpreter.
JavaScriptisverypopularandissupportedbyallWebbrowsers.
JavaScripthasamorelimitedscopethanJavaanddealsprimarilywithelementsonthewebpageitself.
MetaTags96MetaTagsareHTMLtagsthatprovideinformationaboutawebpage.
UnlikenormalHTMLtags,MetaTagsdonotaffecthowthepageisdisplayed.
Instead,theyprovideinformationsuchaswhocreatedthepage,howoftenitisupdated,whatthepageisaboutandwhichkeywordsrepresentthepage'scontent.
Manysearchenginesusethisinformationwhenbuildingtheirindices.
Modem(MOdulator-DEModulator)Adevicethatadaptsaterminalorcomputertoananalogtelephonelinebyconvertingdigitalpulsestoaudiofrequenciesandviceversa.
Thetermusuallyrefersto56Kbpsmodems(V.
90),thecurrenttopspeed,ortoolder28.
8Kbpsmodems(V.
34).
Thetermmayalsorefertohigher-speedcableorDSLmodemsortoISDNterminaladapters,whicharealldigitalandnottechnicallymodems.
Amodemisananalog-to-digitalanddigital-to-analogconverter.
Italsodialstheline,answersthecallandcontrolstransmissionspeed.
Modemshaveevolvedat300,1200,2400,9600,14400,28800,33300and56000bps.
Whateverthetopspeed,somelowerspeedsarealwayssupportedsothatthemodemcanaccomodateearliermodemsornegotiatedownwardsonnoisylines.
OLAPOnLineAnalyticalProcessing.
Decisionsupportsoftwarewhichallowstheusertoquicklyanalyseinformationthathasbeensummarisedintomultidimensionalviewsandhierarchies.
Forexample,OLAPtoolsareusedtoperformtrendanalysisonsalesandfinancialinformation.
Theycanenableuserstodrilldownintomassesofsalesstatisticsinordertoisolatethemostvolatileproducts.
TraditionalOLAPproducts,alsoknownasmultidimensionalOLAP,orMOLAP,summarisetransactionsintomultidimensionalviewsaheadoftime.
Userqueriesonthesetypesofdatabasesareextremelyfast,becausetheconsolidationhasalreadybeendone.
OLAPplacesthedataintoacubestructurethatcanberotatedbytheuser,makingitparticularlysuitableforfinancialsummaries.
PortalsiteAportalsiteprovidesanoverviewofweblinksinanorderedway.
ViathevisitedportaltheInternetusercaneasilyvisitselectedwebsitesofothercontentproviders.
Modernportalsare"supersites"thatprovideavarietyofservicesincludingwebsearching,news,whiteandyellowpagesdirectories,freee-mail,discussiongroups,onlineshoppingandlinkstoothersites.
PPPPPP(PointtoPointProtocol)isatelecommunicationprotocolwidelyusedtoconnecttwocomputersbyusingtheirserialportoramodemputonit.
ItisthelowlayerprotocolmainlyusedbetweenthepersonalPCofahomeuserandtheInternetAccessServerofanInternetServiceProviderwhileestablishingaTCP/IPconnectiononclassicalphonelines.
ProxyserverTheproxyserverisanintermediaryserverbetweentheInternetuserandtheNet.
ItactsasaWebcache,dramaticallyimprovingtheperformanceoftheInternet.
ManylargeorganisationsorInternetAccessProvidershavealreadyimplementedthissolution.
Each97page,imageorlogodownloadedfromoutsidebyanorganisation'smemberisstoredonacacheandwillbeinstantaneouslyavailabletoanothermemberofthisorganisation.
Itisnolongernecessaryforeverymemberoftheorganisationlocatedbeforetheproxyservertohavehis/herownIPaddress,becausetheydonotdirectlyaccesstheInternet.
ProtocolInthiscontext,aprotocolisasetoftechnicalrulesthatmustbeobservedbytwopartnerstoexchangeinformation.
Protocolsareorganisedintoahierarchyofso-calledlayers.
Eachlayerisresponsibleforhandlingoneparticularaspectofthetelecommunicationsprocessandprovidesbasicfunctionstobeusedbytheupperlayers.
Traditionally,ontheInternettheTCP/IPprotocolisalwaysusedastheintermediatelayer.
Ethernet(usedinLocalAreaNetworks),ADSL(usedinphonelines),ATM(usedbytelecommunicationsoperators),X-75(usedonISDNlines),PPP(usedonstandardtelephonelines)aresomeexamplesoflower-levelprotocols.
Ontheotherendofthescale,HTTP(forsurfing),SMTPandPOP(fore-mail),FTP(fortransferringfiles)arehigher-levelprotocols.
ThismeansthateverypotentialprivacythreatpresentintheTCP/IPprotocolwillbeoneoftheweaknessesoftheupperprotocols.
Inbasicterms,layersareasetofsubprogramsrunningonacomputerlinkedtotheInternet.
RouterArouterisanimportantdevicewhichprovidesroutesforTCP/IPnetworks.
ThismeansthattheTCP/IProuteisdynamic,dependingonthefailureoroverloadingofsomeroutersorlinks.
ItcanalsobeusedasafirewallbetweenanorganisationandtheInternetandguaranteesthatonlyauthorisedIPaddressescanoriginatefromaparticularISP.
SharewareSoftwarethatcanbedownloadedfromtheInternet.
Itcannormallybedownloadedfreefortrialpurposes,butasmallamountmustbepaidtothesoftwaredeveloperstobeabletouseitlegally.
Softwarewhichcanbedownloadedandusedcompletelyfreeofchargeisknownasfreeware.
SniffingSniffingsoftwaremakesitpossibletomonitorthetrafficandreadallthedatapacketsonanetwork,thuspresentingincleartextallcommunicationswhicharenotencrypted.
Thesimplestformofsniffingcanbecarriedoutusinganordinarypcconnectedtoanetworkusingcommonlyavailablesoftware.
Spamming(orspam)Thesendinginbulkofunsolicitedadvertisingmarketingmaterialviae-mail.
TCP/IPnetworkATCP/IP(TransportControlProtocol/InternetProtocol)networkisbasedonthetransmissionofsmallpacketsofinformation.
EachpacketincludestheIPaddressofthesenderandoftherecipient.
Thisnetworkisconnectionless.
Itmeansthat,unlikethephonenetworkforinstance,nopreliminaryconnectionbetweentwodevicesisneededbeforecommunicationscanstart.
Italsomeansthatmanycommunicationsarepossibleatthesametimewithmanypartners.
98TrustedThirdParties221ATrustedThirdParty(TTP)canbedescribedasanentitytrustedbyotherentitieswithregardtosecurity-relatedservicesandactivities.
ATTPwouldbeusedtooffervalue-addedservicestouserswishingtoenhancetrustandbusinessconfidenceintheservicestheyreceive,andtofacilitatesecurecommunicationsbetweenbusinesspartners.
TTPsneedtooffervalueasregardstheintegrity,confidentialityandsuccessfulperformanceoftheservicesandinformationinvolvedincommunicationsbetweenbusinessapplications.
Inaddition,userswillrequireTTPservicestobeavailablewhentheyneedthemwithinthetermsoftheagreedservicecontract.
Typically,aTTPwillbeanorganisationwhichhasbeenlicensedoraccreditedbyaregulatoryauthorityandprovidessecurityservices,onacommercialbasis,toawiderangeofbodies,includingthosewithinthetelecommunications,financialandretailsectors.
Forexample,aTTPcouldbeusedtosupporttheprovisionofdigitalsignaturestosecuretheintegrityofdocuments.
Inaddition,theycouldprovideend-to-endencryptionservicestousers,andincorporate,forexample,arecoveryorbackupfunctionforakey,toenablerecoveryifthekeyislost(typicallyfordocumentsandfilesthathavebeenencryptedbyemployees)ortosupportarequestforlawfulinterception.
TheuseofTTPsissubjecttothefundamentalrequirementthattheTTPistrustedbytheentitiesitservestoperformcertainfunctions.
UMTSUMTS(UniversalMobileTelecommunicationsSystem)isa"third-generation"broadband,packet-basedandwirelesstransmissionprotocolwhowilloffertranmissionspeedhigherthan2Mbps.
ThisnewbroadbandprotocolwillallowtransmissiontodigitalvideowithTVqualitytomobiledevices.
Presently,theGSMnetworkallowspeedsabout11Kbps,sufficientforthetransmissionofthevoicebutnotformovingimages222.
WAPWAP(WirelessApplicationProtocol)isatelecommunicationprotocolconceivedbymanymobilephonemanufacturers.
ItpermitsaccessfromadedicatedmobilephonetoInternetservicessuchaMail,Chat,Websurfing.
223WebcacheAcomputersysteminanetworkthatkeepscopiesofthemost-recentlyrequestedWebpagesinitsmemoryorondiskinordertospeedupretrieval.
Ifthenextpagerequestedhasalreadybeenstoredinthecache,itisretrievedlocallyratherthanfromtheInternet.
Web-cachingserverssitinsidethecompany'sfirewallandenableallpopularpagesretrievedbyuserstobeinstantlyavailable.
Sincethecontentofwebpagescanchange,thecachingsoftwareisalwayscheckingfornewerversionsofthepageanddownloadingthem.
Pageswillbedeletedfromthecacheafterasetamountofnon-activity.
Webmail221DefinitiontakenfromtheETSI"RequirementsforTTPservices".
222Seehttp://www.
umts-forum.
org/223Seeformoreinformation:http://www.
wapforum.
org99E-mailsystemsthatusewebpagesasaninterface(e.
g.
Yahoo,HotMailetc.
).
WebmailcanbeaccessedfromeverywhereandtheuserdoesnotneedtomakeaconnectiontoaspecificISP,aswhenusinganordinarye-mailaccount.
DoneatBrussels,21stNovember2000FortheWorkingPartyTheChairmanStefanoRODOTA