Ad-blocker blocking websites face legal peril at hands of privacy bods Websites that detect ad-blockers to stop their users from reading webpages could be illegal under European law. Alexander Hanff, a privacy campaigner and programmer, says he has received a letter from the European Commission confirming that browser-side web scripts that pick out advert blockers access people's personal data ( …
> You really think EU is not owned by business?
Compare the situation for consumers, employees, parents, people with an illness, passengers, etc (ie "people") between the EU and the US, and there is virtually nothing in common. Sure, the EU may consult with business too, but the US is simply in a different league from the rest of the world when it comes to treating their own citizens as a disposable resource.
I'm going to be honest, no I don't. Well maybe they are but there are SO MANY PEOPLE involved in EU legislation that it'd be incredibly difficult to buy them all, unlike national parliaments, you know the ones which are properly democratic.
Arguably an unintended benefit of EU membership.
Maybe they can ask the user's permission on a panel that obscures the contents. It could ask as an automatically playing video that can't be skipped, tripling the page load time. This has two advantages.
1. It would suitably annoy those running ad blockers whilst complying with the law.
2. Those not running ad blockers would be able to tell the difference from their usual experience of websites.
Didn't they already do that?
Google has a panel covering most of the screen with some boring (already "agreed" to it dozens of times) privacy policy, which is hard to scroll and agree on my 7" tablet. It's funny how sites assume you'll keep your cookies until 2038, instead of clearing on-exit.
Anyway, I love it when EU law makes privacy invading yanks pee their pants.
@Adam 1. Could you explain your second point a little more clearly.
However, I think you've missed something from the article. It would require the site to ask every visitor to ask permission for their browser to be probed. In the interim either the ad-blocking visitor gets to read the page or, if the page is obscured my any means nobody, ad-blocking or not, probe-consenting or nor, gets to read the contents. This means that the site manages to piss off everyone, including those of whom the site might approve.
It also has an interesting side effect. It would present the page authors the problem of explaining why it wishes to probe the user's browser. If they don't give a clear explanation then it will look a little sinister to naive users and if they do it alerts such users to the existence of these things called ad-blockers which they might then investigate and find to be a good idea.
Sure. It was self evidently a bit too subtle a joke for a few folk here who probably thought that I was advocating against ad blockers.
The point was that they could make the process of presenting the question to probe (all that they are required to do) just as annoying as the ads themselves. Point 2 was that such an experience wouldn't be noticeably worse than what one is subjected to without an ad block installed. Ergo, the only folk who would actually suffer would be those used to an ad free experience.
The question in the query has grossly misstated how ad blocker detectors work, and the answer was constructed on that false basis. As such it does not say anything about actual anti ad blockers, only about the imaginary ones that do not exist outside of the mind of the guy submitting the query.
Real anti ad blockers do not store any kind of scripts or information on user side. Also, detecting the presence of an ad blocker obviously is not a personally identifiable information, and as such is not protected by the EU directive.
That is not correct.
Anti blockers work by checking whether the user has seen some ad or received some file, effectively retrieving the information stored in the user's cache about whether that file has been downloaded or not.
This is, they store and retrieve information on the user's computer without the user's prior consent.
Users consent when they visit the website. I didn't want to see your comment, but I took the risk when I came here.
But do they?
I've seen this excuse used in so many places. You don't actually get a choice as the damage is often done before you even get a chance to say "no", often because you don't realise that the damage is being done. People get upset by drive-by malware or its threat yet this sort of thing is not really much different.
But do they?
I've seen this excuse used in so many places. You don't actually get a choice as the damage is often done before you even get a chance to say "no"
Nail on the head.
Generally, you visit a site because the page you're browsing to looks like it might contain the information you're currently after. But, until you visit, you have no idea what the "cost" will be - what JS will run, what third party trackers they use etc.
Once you've found out (and most users never do, because they don't look), it's too late, because it's already happened. All you can do is not visit in future, limiting it to one occurence (for that site). Which means it isn't anywhere close to informed consent and doesn't count.
But do they?
No, because the consent must be both explicit and informed. So, websites cannot assume that consent has been given but must explicitly inform users and obtain their explicit agreement. NB. there explicit exemptions for things like session cookies. The law isn't some Luddite attempt to break the web but it does make spying on users a little more difficult.
"Anti blockers work by checking whether the user has seen some ad or received some file, effectively retrieving the information stored in the user's cache about whether that file has been downloaded or not."
Wrong. The cache isn't involved. Neither is any information stored. Actually, if anything, the opposite is true. Ad blocking is detected by some "information" (element of the page) not being present on the client side, because of, you know, it getting blocked.
"The javascript file itself is stored and is illegal."
You realize, that no matter how many times you repeat the same false statement, it will not become magically true, don't you? It will stay just as false as it was for the first time. The only thing you can prove by keeping that up is your incompetence and thickheadness.
I understand you think you landed something big that will make you famous. But you didn't, and it will only make you infamous, for being the clueless populist who couldn't even get the basics rights. You will be the Donald Trump of internet cookies.
The sooner you realize this the less damage your reputation will take. And, trust me, it already took A LOT in the eyes of most competent persons.
"Anti blockers work by checking whether the user has seen some ad or received some file, effectively retrieving the information stored in the user's cache about whether that file has been downloaded or not."
Wrong. The cache isn't involved. Neither is any information stored. Actually, if anything, the opposite is true. Ad blocking is detected by some "information" (element of the page) not being present on the client side, because of, you know, it getting blocked.
AFAICS these are two statements of the same thing.
However ultimately neither my view, nor yours, nor Mr Hanff's will be decisive. The decisive view may well be that of a court. Do you intend to provide expert evidence?
"AFAICS these are two statements of the same thing."
No, because anti ad blockers - as already said - do not examine your cache, do not query the list of installed extensions/plugins (contrary to what our "expert" says), etc. And because they do not store or transmit that information anywhere inside or outside of the browser. They simply do nothing that the EU DPD would require to ask prior consent for.
> ... ALL information ...
Indeed. While in the US the concern may be only PII in the sense of information sufficient in itself to identify a person (such as name, phone number, ...), the EU data protection regime deals with any and all information about a person even when that information doesn't directly identify a particular person. In practice I'd think it is enough if a such information could be tied to a person by a third party for it to become 'personal information', the collection, distribution or even 'processing' in the most general sense of which is subject to restrictions, a key one among them being that this requires consent of the person about whom the the information is. Hence, e.g. collecting IP addresses so that they can associated with other information such as pages visited is verboten - or at least this is the German data protection authority's stance (with which I quite agree).
"The letter from the European Commission to Mr Hanff talks about ALL information, not just personally identifiable information."
Wrong. It talks about information in the context of the data protection directive. The latter only prohibits storage of personally identifiable information. So the word "information" or even "all information" must be interpreted in this context.
That said, as I already pointed out, because there's no actual storage of any information involved in ad blocker detection, it's completely irrelevant what the term "all information" means.
You are wrong - I have researched a large number of the adblock detection solutions and they all work by storing a javascript on the computer of the user which then checks how the page is rendered - whether specific elements exist or have been removed form the DOM.
Furthermore as pointed out by the EU Commission - the law is relevant for ANY information stored or accessed and is not limited to personal data. In fact the EU Commission rightfully categorise adblock detection tools as spyware as per Recital 24 and Recital 65.
I note you also spammed my Twitter feed with your nonsense - I suggest you actually go and learn something about the law before reporting back to your adblock detection company.
I have been working on these issues for 10 years and know the law very well - I have been researching adblock detection for the last 14 months and have spoken to 10 different regulators in Europe as well as the EDPS and EU Commission - all of them (yes even ICO in the UK) agree with my analysis.
I should add though that the letter from the EU Commission is not my reason for taking legal action - it was always my intention to do so which is why I started the work 14 months ago. Back in February last year I had a face to face meeting with DG Justice at the EU Commission in Brussels and they confirmed my concerns verbally. As I was approaching the point where I will begin filing legal complaints, I decided that having that opinion in writing would be useful so earlier this year I wrote to President of the EU Commission asking for them to formalise our original discussion in writing.
I would presume all of this needs to only be downloaded to the cache, so your opinion is that anything in the web cache is 'stored data' and subject to protection?
So, for instance, using javascript to fade a picture in would need the visitor to opt in before hand. But from a legal point of view there's no difference between javascript and css, so using a css file to control the layout on a page would not be possible without an opt in from the visitor?
There's a part of me misses the old 90s web, when 'it wasn't about the money man.' Perhaps we get to visit it again. Right if you'll excuse me I just need to cut this image up into 20 parts so I can put them in a table.
No you are missing the exemptions as I explained below. Also if you actually read the letter from the EU Commission you will notice they mention the exemptions as well.
Please do read the information provided, it saves me repeatedly typing the same information over and over and over again.
"You are wrong - I have researched a large number of the adblock detection solutions and they all work by storing a javascript on the computer of the user which then checks how the page is rendered"
Wrong. You're misusing the term "store" here and misrepresenting (or simply not understanding) what kind of storage (if any) is happening here, and who is storing that information (if anything). Fact is: anti ad blockers do NOT store any scripts on the client side.
If anything, the browser _caches_ the scripts, which however, is not considered as "storage" in this context (ie. data protection rules). And the browser does so not because it's been instructed to do so by the page or the anti ad blocker, but because it does that on behalf of the user, for his convenience.
However, anti ad blockers do not rely on this kind of caching (which you misinterpret as "storage") and would and will work the very same way they do, even if the browser does not cache any scripts, which it does deliberately, and which caching is controlled by the user.
So, no, let me reiterate that to you again: anti ad blockers and ad blocking detection scripts themselves do NOT store any scripts on the users computer, and do NOT process any personally identifiable information either. As such anti ad blockers are not and can not be subject of the EU data protection directive.
The EU didn't state otherwise either. They merely answered your question, based on false premises, and because of that they gave you an answer that is irrelevant and does not apply to actual ad blockers.
The problem here is not with the legality anti ad blockers, but your understand of how these technologies (or even browsers and the web in general) works.
> https://yourlogicalfallacyis.com/loaded-question
> https://yourlogicalfallacyis.com/ad-hominem
Thank you for telling me about logical fallacies (which I'm *well* aware of)
However when you look at someone's El Reg list of posts and find that, since they joined the Forums on the 9th of October 2013, they have posted a grand total of 86 posts, a goodly proportion of which relate to the use of ad blockers and some of which contain such ludicrous comments like this one...
"Theft is theft, no matter what your reasons for doing it are. And using web services and consuming content without "paying" for them by tolerating ads IS also theft."
... it is neither a loaded question, nor an ad hominem attack to wonder whether the poster who doth protest too much is doing so because he's worrying about his job disappearing.
So if you *don't* work for an advert pusher, *WHY* are you getting so uptight about people using ad blockers or why it is that it seems that everyone else apart from FF22 considers that they way these ad-block-blockers work is illegal?
@Graham Marsden:
Your "reasoning" is like
- if you're defending women's right not to be raped, you have to be a raped woman
- if you're defending black people's right not to be shame for their skin color, you have to be a black man
- if you're defending publishers right to not have their ad blocked blankly, you have to be a representative of an internet advertising company*
(*which doesn't even make sense even in itself, but let's skip this part for now)
No, I do NOT have to be a woman, a black man or an internet advertising (firm) to defend some group of people, a phenomenon or even just an idea against unfair treatment, false statements and abuse in general.
And the reason why I'm saying what I'm saying is completely irrelevant and does not determine whether what I say is factual and logical. Not that I wouldn't have explicitly disclosed why I'm saying what I'm saying. Just saying, that even if I wouldn't have done so, it still wouldn't matter.
Because if what I'm saying is not factual and makes no sense, you could obviously still rather easily point that out, and expose the logical and factual flaws in my comments. But you didn't and don't do that. Instead, you fall back to ad hominem attacks and other logical fallacies. You wouldn't have to do that if you would actually have a factual and logical counterpoint to my statements, would you?
And no, you don't actually have to answer that question. It was a rhetoric one, which we both know the answer on.
> Your "reasoning" is like
Oh deary, deary me, FF22 and you were complaining (incorrectly) about *me* using fallacious arguments!
Shall we try Ad Hominem Tu Quoque? Or maybe Burden of Proof? Or there's always the good old False Analogy...
(You could, of course, also look up the definition of what "theft" actually is, but that's by-the-by...)
> the reason why I'm saying what I'm saying is completely irrelevant
Is it? Ok, FF22, you tell us *why* this *ONE* particular issue is so important to you.
As I said, out of (what was, at the time) just 86 posts since 2013, a large proportion of them have been about the blocking of adverts, so why this and nothing else? Why are you putting so much time into attacking Alexander Hanff? I, for one, would like to know.
> if what I'm saying is not factual and makes no sense, you could obviously still rather easily point that out, and expose the logical and factual flaws in my comments. But you didn't and don't do that.
No, I haven't and I'm not going to because others are doing that and comprehensively and repeatedly demolishing your arguments, but you are simply not willing to accept even the possibility that you could be wrong.
So, again, I ask *WHY* this one particular issue is such a big deal for you.
Now are you going to answer that, or are you just going to try to move the goalposts again and attack me for pointing out your fallacies instead?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
