Deloitte Hacking Team World Champion !

Posted on October 30, 2012 by roelvanrijsewijk

Yesterday our Ethical Hacking Team from Deloitte succesfully defended their world championship title. Below you find a full report from the team captain.

Well done boys !

I’m happy to inform you that we did it! After our win in March today we became global CyberLympics champion again!

This year the CyberLympics organization setup was a King of the Hill competition. Meaning that you have to hack a system, plant your flag (A hash in a text file) and secure that system so that no other teams can compromise the system where you just put the flag. Next planting a flag you also received points for securing the system and keeping the services running.

We spent the last month preparing for this final and made sure everyone had a role. The tasks were divided as follows:

Gijs & Thijs (*ijs): attack, try to hack as many systems as quickly as possible

PJ & Henri: defense, make sure existing vulnerabilities are quickly resolved to retain control over the systems and gain points for fixing vulnerabilities.

Jochem: Cracking passwords and performing Nessus scans.

Steven: Team leader, making sure roles are divided and handing out tasks to everyone and discussing issues with the organization.

During the prequels 248 teams participated from all over the world out of 52 countries. From these only 7 teams made it to the finals. In the final we played against teams from Australia, Europe, North America, South America, Africa and Asia.

When the game started we (Hack.ERS) were in the lead within a few seconds. Gijs’ script compromised the first server automatically as soon as we hit “enter”. Soon after we compromised that server, the PRauditors from Hungary compromised another server, so it was a draw. We reacted quickly and compromised two more systems. Then the score was full in favor of Hack.ERS.

However the other Hungarian team Gula.sh was able to steal 2 systems from us. So gula.sh was in in first place for 5 minutes. Because 5 minutes after that they lost the systems again to other teams. After 30 minutes we were able to compromise another system what gave us the lead again(2 Systems for Hack.ERS).

From that point on we were able to retain our lead and slowly improve the score towards a stable lead of 5 compromised system, while the other teams had no more than 1 or 2. On some of the systems we had to battle fiercely since we both had access, however they were so old it was nearly impossible to prevent the other teams from gaining access. These kept going back and forth until the end of the game. On many other systems Henri and PJ had successfully installed patches which not only kept the other teams out, but also provided us with extra points resulting in a good lead.

After 3 hours 4 additional servers were added. Hack.ERS *ijs were able to compromise 2 of those new systems quite quickly and we managed to retain these systems for almost the entire remaining time. Soon after that Hack.ERS had compromised 5 systems, while the other teams only had 1 or 0. This remained until the last 1,5 hour, then the organization decided to add 15 new systems to the game, making it anyone’s game. The *ijs tandem compromised some of these systems swiftly and we added five new systems to our Hack.ERS score, making the total of compromised systems 10.

The last hour this score of compromised systems changed from 10 to 9 to 8 and back to 9. The last 45 minutes the exact scores were hidden (the attached screenshot was taken 45 minutes before the end of the game), however when the game ended we had 9 systems under our control, while the other teams had only 1 or 2.

With this score we received the gold medal and defended the title of Global CyberLympics Champions with a good lead!

All the best from Miami and regards,

Gijs, Thijs, Henri, PJ, Jochem, Dirk, Derk and Steven

Posted in Uncategorized | Leave a comment

De strijd om performance-based online ad spend

Posted on June 14, 2012 by roelvanrijsewijk

Meer dan de helft van de online advertentie bestedingen in Nederland is nog steeds search en dat was in 2011 ook de snelst groeiende categorie van online adverteren. Daar zitten dus de grote budgeten van de adverteerders online. Search campagnes voor populaire adwords worden echter steeds duurder, met name die adwords voor productcategorieën die online snel tot conversie kunnen leiden. Meer dan de helft van de affiliate omzet gaat via topic publishers en comparision sites die zich richten op specifieke productcategorieën die relevante traffic genereren voor conversie op die producten. Daar ligt een kans voor affiliate netwerken om een effectief en efficiënt alternatief te bieden voor performance based search campagnes. Er is echter een kaper op de kust.

De opkomst van automated trading in Nederland is groot. 36% van de totale bestedingen aan display is gegenereerd op basis van een prijsmodel waarbij het op voorhand niet
vaststaat wat de uiteindelijke prijs wordt, dus op de 1 of andere manier is verhandeld. Dat zou betekenen dat de bestedingen aan automated trading in Nederland ongeveer net zo groot is als aan affiliate marketing.

Adverteerders zien het inkopen van display via exchanges steeds meer als een goed alternatief voor relatief dure search campagnes. Bovendien heeft inkopen via automated trading een aantal van de voordelen die affiliate netwerken ook bieden, zoals toegang tot een groot netwerk van websites, een volledig geautomatiseerd inkoop proces, controle over de prijs en mogelijkheden om realtime op ROI te sturen.

Groot verschil is het gebruikte afrekenmodel. De default currency in automated trading is
CPM. Je ziet dan ook dat bij traditionele exploitanten CPM steeds meer het dominante afrekenmechanisme wordt. Binnen affiliate netwerken komt CPM niet of nauwelijks voor en is CPL (15%) en CPS (78%) dominant. Daar zou dan ook het onderscheidende voordeel moeten liggen voor affiliate netwerken in de strijd om performance based bestedingen online ten opzichte van search (CPC) en automated trading (CPM); een afrekenmechanisme waarbij pas betaald hoeft te worden als de conversie heeft plaatsgevonden.

In principe zou het sturen op ROI bij een CPS model heel eenvoudig moeten zijn, immers de adverteerder rekent pas af na conversie. Echter, de huidige methoden van conversietoekenning zijn vaak te simpel (last cookie count) en gevoelig voor manipulatie. Affiliate netwerken zouden er goed aan doen te leren van automated trading en te investeren in transparantie en betrouwbaarheid; een gereguleerde exchange op basis van CPS om onafhankelijk de transacties en onderlinge afrekeningen te faciliteren.

Posted in Uncategorized | Tagged , , , , , | Leave a comment

Cookies Wars part III: The Amendment

Posted on June 13, 2011 by roelvanrijsewijk

Cookie Law Regulation: Self- versus State

Finally the Dutch parliament discussed the new Telecommunications law last week. The whole online world had anticipated this day, it was postponed several times, was too late to meet de EU deadline but now it’s done. And the online world is not happy.

Much was discussed. There was a very interesting proposal for Net Neutrality in the Netherlands (we would be the first country in the world after Chili to have such a law) but that is for another blog. Here I need to discuss what is being termed the cookie law. Despite intense lobbying from the industry and a complete self-regulatory framework with icons to inform the consumer, a website www.yourinlinechoices.com and clear opt-out and ‘do-not-track’ regime, a proposed amendment by a majority in the Dutch parliament has made the online world extremely nervous.

The amendment by D66, PVDA and PVV proposes that opt-out is not enough and basically returns to the original draft proposal for explicit opt-in for cookies. The industry has consequently send a letter to parliament explaining that this will destroy the surfing experience of the users and has spread nice video’s showing how cumbersome this will be for the user.

embedded by Embedded Video

YouTube DirektHow can cookies make your surfing experience convenient?

Secondly, and I think more importantly, this amendment, if it gets passed, would make the implementation of the cookie law more stringent than in other jurisdictions in the EU, leading to a disadvantage for the Dutch online advertising industry and inequality for users in the EU. The last is probably the reason the populist PVV, who usually is pro-business, supports the amendment: a way for them to frustrate the workings of the EU.

In part I of this series I have explained that the original EU directive was not aimed at cookies but requires opt-in to store or access information on his or her computer to prevent spy ware and malware to be installed on the computer without your consent. What we see now is that politicians are trying to regulate online advertising through a law that was not meant to do that. What they seem to forget is that cookies are mostly used to identify a computer and if cookies can no longer be used, other unique persistent identifiers will be used. It would be better for them to try to regulate the browser.

In part II of this series I explained that the big debate should be whether information related to a computer is to be considered Personally Identifiable Information which would mean it would be subject to the very stringent EU privacy laws. Whatever information you store on a server related to a cookie, if it is Personal Information these laws already apply. But advertisers are not interested in individuals but in large anonymous groups that they can target. So what are they trying to regulate?

It seems to be the feeling of the average consumer that he is being tracked without him knowing about it, the irritation of being retargeted over and over again and paid messages that are too close for comfort. This type of feeling goes against the interest of the advertising industry itself; they want their ads to be effective so it would seem that this lends itself perfectly for self-regulation. Ironically you would need cookies to do that (cookies to ensure you are not retargeted too much, cookies that explain what kind of messages you want and what kind you don’t etc.).

Regulation by the state should always be the last option. Regulation by the state is efficient when things are black and white: there is a wrong way and a right way (e.g. speeding on the highway). With cookies this is certainly not the case. It is not the cookies themselves who are right or wrong, it is the way you use them. And what use is good and what is bad is not very clear and not all usage can be anticipated. State regulation on this topic will lead to more and more regulations to plug the holes that smart online advertisers will surely find (a never-ending game of the industry versus the regulator) and will inevitably lead to more and more supervision by regulators like Opta, paid for by taxpayers: expensive, inefficient and bureaucratic.

Self-regulation by the industry, if properly organized, is much more efficient and effective. If it is indeed about the consumer and his control, the interests of the consumer and the online advertising industry are completely aligned. The online advertising industry wants to understand the choices of the consumer, wants to know what he finds annoying and what kind of messages he likes and from whom he prefers to receive them. They want to be in constant dialogue with the consumer so that the surfing experience is good, that advertising is not annoying but effective and that privacy of the individual is not invaded in such a way that he feels tracked and traced.

But offcourse there are always exceptions to the rule. There are certainly advertisers, websites, ad networks and other players in the industry who do not care about the privacy of the consumer, who engage in activities online that most consumers find annoying or scary and who fail to understand that this is not effective advertising and that it will eventually harm the industry.

What the online advertising industry would need to organize is to vigilantly police the companies that do not understand this. Track down short sighted companies that engage in practices that the consumer does not want and will harm the industry in the long run. Track them down and punish them, not by a fine but blacklist them and make sure they are out of business. When the publishers and networks work together with the advertisers and media agencies, this can be done. This will be very effective and very efficient and paid for by the industry, not the tax payer.

Tomorrow is the big day when parliament will vote in favour or against the amendment. Here is my advice to my chosen representatives:

What the politicians should understand is that advertisers are not interested in gathering vast amounts of private information of individuals to use it for some fascist or evil end. Do not regulate what the industry should organise themselves.

Posted in Uncategorized | Tagged , , , , , , , , , , | Leave a comment

Insight from 2010 IAB Online Adspend Study

Posted on June 9, 2011 by roelvanrijsewijk

For 2010, we (Deloitte) were appointed by IAB Netherlands as the new research agency to provide insights in online advertising spending in the Netherlands based on more comprehensive input data. The results reported are the most accurate measurement of the online advertising revenues in the Netherlands, because the data is compiled directly from a representative sample of online publishers. The respondents cover over 85% of the internet reach in the Netherlands, some 4000+ websites.

embedded by Embedded Video

IAB members can download the full report and contents of the report were discussed in the media. Or you can watch the video (in Dutch).

Here I want to tell you what I think is the most interesting insight.

There is significant variety in the ratio of the share of wallet and share of visitors for leading publishers in the Netherlands. The power ratio of the participating publishers shows a great diversity. The power ratio is calculated by dividing the Share of Wallet by the Share of Reach.

Publishers with a specific target audience received a high advertising share relative to its visitors share. 4 publishers have an extra ordinary share of advertising compared to their reach. 8 publishers have poor advertising  performance compared to their reach.

So what does this mean?

Simply said: how many people visit your website is quite irrelevant in terms of the ability to generate advertising revenue online. Compare this to TV were the ratings are the Holy Grail. Off course for both type of media the target audience is important but for internet much more so. It confirms based on facts that the ability to understand who is visiting your website and what they want and need is the way to maximize your profits. Rich data is king, not unique visitors.

For websites with no specific target audience (= popular websites), the solution is not the monthly audience reach reports but behavourial targeting. My website may attrackt all kinds of people but I know at this moment there is a guy, from Amsterdam, interested in cars (for example). The study shows that revenue generated through behavioral targeting was only €16m in 2010, only 8%. But 26% of the publishers use behavourial targeting and weighted for their reach it is done by more than half (58%).

So it seems that the large pubishers with many unique visitors understand that they need behavourial targeting to boost ad revenue. But they are not yet very succesfull.

I would strongly recommend Dutch online publishers to be better aware of who is collecting data from their websites. My hypothesis is that there are third parties, like Google.Doubleclick/Media Agencies/Ad Networks/Ad Exchanges, who understand more about their audience than they do themselves.  Those third parties also collect data from other websites so the conclusion must be that they have much more and much richer data than the online publishers.

The current debate around online privacy is a great opportunity to build a perimeter around your domains and avoid data leakage. Assuming that data related to a personal computer (using cookies, IP Addresses and other unique identifiers) in future will be regarded by regulators as personally identifiable information and that collecting, sharing and matching data by third parties across different domains will be more and more restricted, the online publishers will be sitting on a pot of gold: rich data about their audience.

Posted in Uncategorized | Tagged , , | Leave a comment

Idea for a better internet: regulate the browser

Posted on April 13, 2011 by roelvanrijsewijk

Regulate the Browser

The claim for the internet was that it could and should not be regulated. But governments and corporations are constructing an internet that will perfect control and make highly efficient regulation possible. The ethical and social issues involved are many and varied; however, it is useful to focus on four.

Property: Who owns information? What are the just and fair prices for its exchange?

Accessibility: What information does a person or an organization have a right or a privilege to obtain, under what conditions and with what safeguards?

Privacy: What information about one’s self must you reveal to others, under what conditions and with what safeguards? What things can you keep to yourselves?

Accuracy: Who is responsible for the authenticity, fidelity and accuracy of information?
* Four Ethical Issues of the Information Age. Richard O. Mason. MIS Quarterly, Vol. 10, No. 1, 5-12. March, 1986.

 

The potential conflicts between the issues of information ethics can lead to digital dilemmas. For example ensuring accuracy of information can be in conflict with privacy as codified in the Personal Data Protection Act. The moral imperative is clear: we will have to ensure that information technology, and the information it handles, are used to our benefit.

The solution to digital dilemmas is all about control. When a social-networking site changes your privacy settings to make public what was only accessible to your friends, your loss of control over that information is the issue. We may not mind sharing our personal lives and thoughts, but we want to control how, where and with whom. A privacy failure is a control failure.

The internet itself is not intelligent: it just routes packages. The intelligence and control is in the devices connected to the internet. The dominant way of accessing the internet is via the browser. To put control where it should be (with the people: us), browsers should have build-in safeguards for privacy and property when sharing information via the browser and safeguards for accuracy and accessibility when retrieving information. Like safety regulations for cars before they are allowed on the road, or drugs, food and other stuff in our lives which is of vital importance, browsers should comply with a set of standards before they are allowed on the market.

EU member states are looking for a browserbased solution to implement an EU directive that requires consent from users before placing information on their devices. For cookies this has posed the regulators with a practical challenge how to implement this without completely ruining the surfing experience. Most member states are looking for a browser based solution. This would practically mean that by allowing through your browser settings cookies, the required consent is given by default.

The problem with this solution is that different browsers have different solutions so the way the law is enforced is depended on the type of browser you use. I am not a lawyer but that seems like a legal novelty. Would that also mean that browsers without these features are illegal? Probably not. Lastly, the average consumer currently is lacking the understanding to appropriately configure the browser settings to protect against bad cookies. Can they truly discriminate between bad and good? And if not, who will do that for them and for what reasons and with what moral authority?

By regulating the browser and impose international agreed standards, we can work towards a better and safe internet that the average user can trust. By regulating the browser we can ensure that the control of information is always with the owner of that information.

Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment

The Cookie Wars 2: IAB vs OPTA: How personal is your computer?

Posted on March 31, 2011 by roelvanrijsewijk

In 2009 the European Parliament passed a Directive, which require business to obtain the consent of a consumer (i.e. consumers must actively opt-in) in order to store or access information on his or her computer.

A fight has broken out between the self-regulatory body of the industry (IAB) and the regulator (OPTA), for the hearts and minds of our politicians and the public (you).

By breaking the discussion down into three different aspects I want to try to untangle the confusion and bring some insights in what is going on here.

  1. Discussion on the practical implementation
  2. Discussion on online privacy
  3. Discussion on regulation: Self versus State

This is part 2 of the series: Discussion on online privacy

The current discussion around the cookie law is complicated by a parallel discussion on online privacy.  The big debate is whether information related to a computer is or should be considered personal data.

Personal Data

The EU has one of the most stringent privacy protection laws in the world. The scope of these laws is what we call personal data, meaning information related to a natural person. For instance, your name, address, phone number, social security number and your fingerprints are all personal data, since all of them can be used to identify you as an individual.  In, I admit, an extreme simplification of the EU privacy laws covering this type of data, it is useful to understand three guiding principles:

  • Clearly explain what the purpose is of the personal data you collect and get permission
  • Only collect personal data for that purpose and only use it for that purpose
  • The personal data is not yours, as a good custodian keep the personal data safe and protected and only keep it for as long as you need it for the stated purpose

If any information related to a computer, for example using a cookie or an IP address, is considered personal data than these stringent laws should apply. In that case a cookie law or any other law on top of the privacy law is just superfluous for protecting our privacy online. But you can argue that information related to a computer is anonymous information, not personal data, so these laws do not apply. To put it simple: you have no way of knowing who the individual is sitting behind the computer at any given moment.

How personal is a computer?

It’s hard to tell exactly. I am the only person that uses my work laptop (as far as I know, the EU directive is aimed at protecting my laptop from secretly installed software that uses my computer without me knowing about it). This natural person is not the private-me but the business-me. My iPad during the day is the same business-me but in the evening it can be my 4 year old daughter playing online games. The computer in my home can be anybody, including friends and family.

OPTA in her report seems to regard profiling information related to a cookie that is used for advertising purposes as personal data, subject to the stringent privacy laws.  Maybe in the digital age, where more and more of our live is lived in cyberspace, information related to a personal computer is indeed the online identity of an individual. I am just not convinced that this view currently is a legally accepted definition of personal data supported by appropriate jurisprudence. Furthermore, the ramifications of this position are enormous and will impact the very fabric of the internet.

IP Address is not a telephone number

You can skip the next paragraph if you know all about IP addresses.

An Internet Protocol (IP) address is an address for any device on the Internet, which exists to allow data to be delivered to that device. So when a website needs to send your computer something, it needs your IP address to send it to the right computer. The often heard statement that an IP address is the same as a telephone number is wrong. A telephone number is personal; any given IP address is used by numerous people because the IP addresses that people use can change frequently. Your Internet service provider (ISP) may have a block of 20,000 IP addresses and 40,000 customers. Since not everyone is connected at the same time, the ISP assigns a different IP address to each computer that connects, and reassigns it when they disconnect (the actual system is a bit more complex, but I promised to keep it simple).

How personal is an IP address?

Back to the burning question: is an IP address personal data, or, in other words, can you figure out who someone is from an IP address? The statement that all IP addresses are always personal incorrectly suggests that every IP address can be associated with a specific individual. The IP addresses recorded by every website on the planet without additional information should not be considered personal data, because these websites usually cannot identify the human beings behind these number strings.

However, if you’re an Internet Service Provider (ISP), like KPN or UPC, and you assign an IP address to a computer that connects under a particular subscriber’s account, and you know the name and address of the person who holds that account, then that IP address is more like personal data, even though multiple people could still be using the computer. ISP’s are obligated by law to store the IP addresses they assign for law enforcement purposes; the government will use that information against you if you do bad stuff online or offline. But I think it is legally stretching it a bit to say that the anonymous data a website collects is personal data because someone else (the ISP) has the key to unlock the individual behind the IP Address

The impact on the fabric of the internet

Again, it is all down to asking permission.  Under privacy laws you would need to ask permission before you collect personal data. There’s nothing wrong with that, until someone decides that an IP address is considered to be personal data. So before I store your IP address, I should be asking you for permission.  Except that, if you visit my website, how can I ask you for permission before you visit it?  The very moment your computer starts loading the page, it tells my web server the IP address it wants the page delivered to. As said, this radical position has an impact on the very fabric of the internet.

I use data analytics for the website you are now visiting and I did not ask permission to collect data from your computer. Does OPTA consider me a law breaker? Herrrr Johannes Caspar, Germany’s data protection commissioner, certainly thinks so. According to Johannes, tracking IP addresses of web users without permission should be illegal. He has already decided that Google Analytics is illegal because the “personal” data is exported out of the EU.

The scary stuff: profiling

The problem is that cookies and IP addresses allow profiling.  The fact that it can be done is sufficient to make OPTA nervous and some data protection officials very upset about its use, especially in Germany. And although this data is anonymous, I do understand their concerns. The question is how many non-personal data elements become personal data? If I have an IP address, cookie or any other identifier to a computer and start tracking you and collect vast amounts of data, when do I have enough data to actually being able to identify you as an individual (name, address etc.)? If I know your gender, location, type of business, the sport you practice, your marital status, could I find out your name and address? Probably I can, with some effort, and considering that some of the profiling technologies use up to tens of thousands of attributes to segment an audience, then indeed a very rich profile will become quite unique and personally identifiable.

OPTA wants to make a distinction between group profiling (gender, interests, nationality) and individual profiling (‘looking for Hotels in Dubai’). The distinction is actually between audience data and what you can call ‘intent data’. The last data is mostly collected from web shop comparison sites and other e-commerce sites where you reveal your intent on buying something. I am not convinced that the last category is more individual than others.

Advertisers are not interested in you personally

The fact is, and that must be a little bit re-assuring for us all, that advertisers are not interested in individuals, at all. Why make all the effort to target an individual if you want to sell as much as possible? Even for intent data an advertiser will only be willing to pay if you can offer a large group of people who are looking for hotels in Dubai. So if you are profiled for advertising you are always in the comfortable anonymity of a group (you are not the only one!). If there are just a couple of individuals interested in your product or service and you need to track them down online, you should be worried more about your business than about advertising it.

Too close for comfort

But off course, some of the targeted advertising can become quite personal in the perception of the user, or weird.  For some people, my father for example, it is creepy that somehow his favorite online news site suddenly seems to know that he is travelling to Lisbon (to protect the privacy of my father, I changed the destination). Partly fear based on ignorance but on the other hand perception is reality and his private comfort zone is invaded. And for some (including me) the now common practice of re-targeting using intent data (showed interest in something online but decided not to buy it, now I am targeted for this product or service constantly) is simply annoying. It feels like you walked into a shop and now the shopkeeper is following you on the street and keeps on asking you: “Do you want it? Are you sure?”. The same reason I intensely dislike visiting a Souk, but that is personal.

Privacy also means the right to be left alone. This is something the advertising industry should be worried about in terms of effectiveness and acceptance of their practices and I think lends itself perfectly for self-regulation. But more about self-regulation in the final part of the Cookie Wars.

The cookie law is not meant to regulate online advertising

The debate on online privacy has only just started and it is a very important debate that will determine much of the future digital world we will live in. The question if information related to a computer is personally identifiable information is fundamental but also very difficult because that is what the internet is designed to be; huge amounts of information related to computers. My point is that this key question should be dealt with separately from the discussion on the new EU directive as the issue of online privacy is certainly related to the cookie law, however it is not the issue they try to regulate.

The principle behind the EU directive is that a computer is personal property and that access to this property is at the discretion of the owner.  If the regulator is concerned about the privacy implications of collecting information on profiles and preferences related to a computer, the current proposed law is simply inadequate. The problem is that you can collect and use this type of information using any persistent identifier to a computer, without actually storing information on the device like a cookie. Techniques like device fingerprinting, for example using information like IP address in combination with browser type and settings, are well known alternatives for cookies.

I am not saying that the lawmakers overlooked this and made a mistake. I am just saying that regulating targeted advertising was not the intent and purpose of the EU directive. So in my view it is confusing and a mistake to make online privacy part of the discussion on the cookie law or try to regulate targeted advertising with a law that is not meant to do that.

To be continued

Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment

The Cookie Wars: IAB versus OPTA, Part 1

Posted on March 23, 2011 by roelvanrijsewijk

The online world is nervously awaiting the outcome of the debate in the Dutch parliament about the new telecommunication law. It will have a major impact on how data in the online world is collected, shared, traded and matched. In 2009 the European Parliament passed a Directive, which require business to obtain the consent of a consumer (i.e. consumers must actively opt-in) in order to store or access information on his or her computer. For online businesses this means uncertainty because exactly how each member state will enforce this law in 2011 is left to the discretion of their national authorities.

The Interactive Advertising Bureau (IAB) on behalf of online businesses, have been lobbying heavily for a practical interpretation of this directive and have been successful in convincing the politicians to adopt a view that self-regulation by the industry is better than regulation by the state. Last week OPTA, the regulator of the telecommunication law, dropped a bom by publishing a report that stated that current practices in online advertising are already unlawful. This triggered a very angry reaction by the IAB in an open letter to parliament.

A fight has broken out between the self-regulatory body of the industry (IAB) and the regulator (OPTA), for the hearts and minds of our politicians and the public (you).

The issue at hand is very complex and confusing.  By breaking the discussion down into three different aspects I want to try to untangle the confusion and bring some insights in what is going on here:

Part 1 Discussion on the practical implementation

The principle behind the EU directive is that a computer is personal property and that access to this property is at the discretion of the owner. So that is why the EU decided that there should be a law that states that storing or accessing information on a computer without the owner knowing or agreeing to it is forbidden. It is important to understand that the EU when stating this principle was not thinking about cookies but were mostly concerned with spyware and other malware that is stored on your computer without you knowing about it. Clearly nobody can disagree with this principle, so far so good.

But then the confusion started: what about cookies? Cookies are stored on your computer without your consent so the Directive implies that this is going to be forbidden. Funny enough the debate is now completely focused on cookies and we are even calling it the ‘cookie law’.  We do not need a big debate that secret spyware should be illegal but you can argue that there is nothing wrong with the regular use of cookies.

So what are we trying to make illegal and why exactly?

This question has brought a complete new dimension into the discussion which has to do with online privacy. The online privacy discussion will be untangled in the next post. What we will discuss here are the practicalities of asking for consent whenever you drop a cookie.

Cookies are used for lots of things, most of which makes surfing on the web more easy. It is easy if a site remembers who you are and that they learn from your preferences and give you relevant content. The Dutch Consumer Authority did a test and some of the Dutch websites are real cookie monsters. In visiting 27 websites a staggering total of 541 cookies were dropped. Tvgids.nl was the winner with 71 cookies placed in one visit.

So here is the practical issue in your face: how can you inform a consumer about the cookie and ask for consent without completely ruining the smooth experience made possible by the same cookies?

So if cookies make our lives easier and the practical implementation around the required consent is impractical, why not make an exception for cookies ? Well, cookies were originally used to facilitate browser-server interaction but lately, driven by the advertising industry, they are used for other purposes; e.g. advertising management, profiling, tracking, etc. As said, the online privacy discussion is for the next part.  For now it is important to understand that the possibilities to misuse cookies both exist and are being exploited.

So how can we make easy use of good cookies and avoid the bad cookies?

OPTA argues that we therefore should distinguish between first party cookies (‘good cookies’) and third party cookies (‘bad cookies’). The first party cookies are most commonly used for convenience and third party cookies mostly for ad networks. This distinction I think is confusing the debate. First of all both types are used for all purposes. Secondly I am not convinced that all ad networks are bad, which this argument implies. Moreover, the information connected to first party cookies are often more sensitive (e.g. credit card details). What if a bad website drops a first party cookie? So this distinction does not make sense in the discussion and will only make things unnecessarily complex.  As promised, I will try to keep it simple so let’s ignore the complex cookie family and stick to cookies in general, whatever the type (first/third party cookies, flash cookies, session cookies, persistent cookies whatever).

The debate is simply how to practically implement the requirement for consent around cookies, nothing more or less. A pop up before a cookie is dropped is clearly impractical and just annoying.  Most member states, including the Netherlands, are therefore looking for a browser based solution. This would practically mean that by allowing through your browser settings cookies, the required consent is given by default. Looks like a simple an elegant solution but off course it is not as simple as that.

First of all, with this solution nothing will change. We can already allow or disallow cookies via browser settings so how will this enhance the protection of the user from bad cookies? Secondly, this is a rather indiscriminate measure; you either allow or disallow cookies so you are basically throwing away the good cookies with the bad cookies.

So the big browsers (Internet Explorer, Firefox, Chrome) have come up with new features to address this. These features will allow the user to accept or reject cookies from certain networks or parties using blacklists or other solutions. It can also allow the user to accept cookies but not be tracked by ad networks.

The problem with this solution is that different browsers have different solutions so the way the law is enforced is depended on the type of browser you use. I am not a lawyer but that seems like a legal novelty. Would that also mean that browsers without these features are illegal? Probably not. The other legal issue here is the meaning of the word explicit consent. There are legal experts who are saying that this interpretation of the meaning of consent makes for a dangerous precedent for other areas where apparently consent can be given implicitly.

Lastly and most importantly, and here I can violently agree with the OPTA report, the average consumer currently is lacking the understanding and knowledge to appropriately configure the browser settings to protect against bad cookies.

What will the consumer do with these new features?

If they do not really understand will they just disallow all cookies by default? If they do not understand, and maybe do not care, will they just allow all cookies out of ignorance? Can they truly discriminate between bad and good? And if not, who will do that for them and for what reasons and with what moral authority?

The discussion is not about the principle but about the practical implementation.

Following the discussions now for months I haven’t come across a reasonable alternative for the browser based solution (please let me know if I have missed something). So maybe it’s the least worse? The industry through the IAB has therefore come up with some self-regulatory solutions which are interesting and which I will explore in the third post. But before we do I will cover the online privacy angle of the big cookie debate in the next post.

To be continued.

Go to Part 2: How personal is your computer ?

Posted in Uncategorized | Tagged , , , , , , , , , , , | Leave a comment

Can you trust the digital world?

Posted on March 11, 2011 by roelvanrijsewijk

In this electronic age we see ourselves being translated more and more into the form of information, moving toward the technological extension of consciousness. – Marshall McLuhan (1911 -1980)

Welcome to my blog. Let me start by telling you what this blog is about.

Are you fascinated by the digital information revolution?

Then please keep reading. As a risk consultant working in the technology and media industry I am confronted with its impact, good and bad, every day and these insights I want to share with you.

Today in western societies more people are employed collecting, handling and distributing information than in any other occupation. Millions of computers inhabit the earth and many millions of miles of optical fibre, wire and air waves link people, their computers and the vast array of information handling devices together. Our society is truly an information society, our time an information age.

The days of the ‘Wild Wild Web’ are over.

The claim for the digital world was that it could and should not be regulated. Wikileaks, Apps, Facebook and other developments will inevitably lead to more and more control. Not necessarily control by government, and not necessarily control to some evil end. But as Lawrence Lessig explained in his copyright-free publication Code V2 (http://codev2.cc/), governments and corporations are building an internet that is quite the opposite of its architecture at its birth. Governments and corporations are constructing an internet that will perfect control and make highly efficient regulation possible.

We are at the crossroads of shaping the digital world we into a world that we can trust.

Trust in a digital world is constantly developing and changing due to the continuous disruptive innovations in technology. Digital information ethics will become more and more predominant as the dependency of our society on digital information increases. Every incident will make us think about how media and tech businesses should work to protect the public interest. The ethical issues involved are many and varied; however, in this blog I will focus on just four.

Four major issues of information ethics for the information age*
Property: Who owns information? What are the just and fair prices for its exchange?

Accessibility: What information does a person or an organization have a right or a privilege to obtain, under what conditions and with what safeguards? Who owns the channels and infrastructure through which information is transmitted? How should access to this scarce resource be allocated?

Privacy: What information about one’s self or one’s organization must you reveal to others, under what conditions and with what safeguards? What things can you keep to yourselves and not be forced to reveal to others?

Accuracy: Who is responsible for the authenticity, fidelity and accuracy of information? Similarly, who is to be held accountable for errors in information and how is the injured party to be made whole?
* Four Ethical Issues of the Information Age. Richard O. Mason. MIS Quarterly, Vol. 10, No. 1, 5-12. March, 1986.

Digital Dilemmas of Online Business Models

The potential conflicts between the issues of information ethics can lead to ethical dilemmas in online business models. For example ensuring accuracy of information can be in conflict with privacy of information. The information of our behaviour on the internet helps search engines improve accuracy of search results. But do we want them to store all this information on our preferences and choices on their servers? Reconciling this dilemma leads to a better search engine and thus to a competitive advantage.

- To create wealth is to combine values that are not easily joined…therefore scarce…therefore profitable…-  Fons Trompenaars

The moral imperative is clear. Maybe we have to wait until a disaster happens or until companies like Google and Facebook misuse our trust in them, but eventually these companies will have to ensure that information technology, and the information it handles, are used to enhance society.

In this blog I will share my personal opinions on digital dilemmas of online business models and how we can enhance trust in a digital world.

And off course I want learn from you, so please share your comments with me.

Let’s discuss !

Roel

Posted in Uncategorized | Tagged , , , , , , , , , , | Leave a comment