UK Web Focus

Innovation and best practices for the Web

Privacy Settings For UK Russell Group University Home Pages

Posted by Brian Kelly (UK Web Focus) on 24 May 2011

On the website-info-mgt JISCMail List Claire Gibbons, Senior Web and Marketing Manager at the University of Bradford today askedHas anyone done anything in particular in response to the changes to the rules on using cookies and similar technologies for storing information from the ICO?” and went on to add that “We were going to update and add to our privacy policy in terms of what cookies we use and why“.

This email message was quite timely as privacy issues will be featured in a plenary talk at UKOLN’s forthcoming IWMW  2011 workshop which will be held at the University of Reading on 26-27 July with Dave Raggett giving the following talk:

Online Privacy:
This plenary will begin with a report on work on privacy and identity in the EU FP7 PrimeLife project which looks at bringing sustainable privacy and identity management to future networks and services. There will be a demonstration of a Firefox extension that enables you to view website practices and to set personal preferences on a per site basis. This will be followed by an account of what happened to P3P, the current debate around do not track, and some thoughts about where we are headed.

The Firefox extension mentioned in the abstract is known as the ‘Privacy Dashboard’ and is described as “a Firefox add-on designed to help you understand what personal information is being collected by websites, and to provide you with a means to control this on a per website basis“. The output for a typical home page is illustrated.

The dashboard was developed by Dave Raggett with funding from the European Union’s 7th Framework Programme for the PrimeLife project, a pan-European research project focusing on bringing sustainable privacy and identity management to future networks and services.

In order to observe patterns of UK Universities practices in online privacy I have used the W3C Privacy Dashboard to analyse the home pages of the twenty UK University Russell Group Web sites. The results are given in the following table.

Ref. No. Institution Cookies External third party Invisible images
Session cookies Lasting cookies External lasting cookies Sites Cookies Lasting cookies
1 University of Birmingham 3 3 0 4 0 2 0
2 University of Bristol 0 0 0 4 0 6 8
3 University of Cambridge 1 3 0 3 1 2 0
4 Cardiff University 1 4 0 0 0 0 0
5 University of Edinburgh 1 4 0 0 0 0 0
6 University of Glasgow 2 3 0 2 1 6 2
7 Imperial College 3 3 0 3 0 2 0
8 King’s College London 3 3 0 3 1 6 0
9 University of Leeds 2 3 0 1 0 0 0
10 University of Liverpool 2 3 0 2 2 3 0
11 LSE 3 0 0 1 0 0 0
12 University of Manchester 3 0 0 1 0 0 0
13 Newcastle University 2 0 0 0 0 0 3
14 University of Nottingham 2 3 0 2 0 5 0
15 University of Oxford 1 5 0 1 0 0 1
16 Queen’s University Belfast 1 3 0 1 0 0 0
17 University of Sheffield 2 3 0 0 1 0 0
18 University of Southampton 1 3 0 3 0 0 0
19 University College London 1 2 7 0 0 0 0
20 University of Warwick 9 6 0 39 2 95 6
TOTAL 43 54 7 70   127 20 

It should be noted that the findings appear to be volatile, with significant differences being found when the findings were checked a few days after the initial survey.

How do these findings compare with other Web sites, including those on other sectors?  It is possible to query the Privacy Dashboard’s  data on Web sites for which data is available, which include Fortune 100 Web site. In addition I have used the tool on the following Web sites:

Ref. No. Institution Cookies External third party Invisible images Additional Comments
Session cookies Lasting cookies External lasting cookies Sites Cookies Lasting cookies
1 W3C  0  0 0 2  0 4 1 P3P Policy
2 Facebook Home page  4 6 0  1 0  0  1
3 Google  0  7  0 0  0  1 0
4 No. 10 Downing Street 1  4  0  8  0 52 1 (Nos. updated after publication)
5 BP 1 1 0 0 0 0 2 P3P Policy
6 Harvard 3 4 1 0 0 0
7 ICO.gov.uk 2 3 0 1 0 0 1

I suspect that many Web managers will be following Claire Gibbon’s lead in seeking to understand the implications of the changes to the rules on using cookies and similar technologies for storing information and reading the ICO’s paper on Changes to the rules on using cookies and similar technologies for storing information (PDF format).  I hope this survey provides a context to the discussions and that policy makers find the Privacy Dashboard tool useful.  But in addition to ensuring that policy statements regarding use of cookies are adequately documented, might not this also provide an opportunity to implement a machine-readable version of such policy. Is it time for P3P, the Platform for Privacy Preferences Project standard, to make a come-back?

15 Responses to “Privacy Settings For UK Russell Group University Home Pages”

  1. Emma said

    Just had a look at Portsmouths …

    hmm… well I would post the result, if only I could work out how to get the data back! Guess I’ll have to clear me cookies & start again, but I’m just in the middle of a few things right now. Later!

  2. Emma said

    Found the option – (in Firefox 4 on Mac, it’s under Tools – sensible place, really!)

    So, here you are: http://is.gd/LQ15Rb (i hope!)

  3. JISC Legal have produced a useful commentary on this area, but it’s apparent that when asking What does the new “cookie” legislation require us to do?, the answer is uh we don’t entirely know, but you should do something.

    For example as reported in the BBC News in March:

    The exact steps that businesses have to go through to comply with the law and gain consent from customers and users are being drawn up by the Department for Culture, Media and Sport (DCMS).

    A spokesman for the DCMS said that work on the regulations was “ongoing” but that the technical solutions would not be complete by 25 May.

    In a statement, Ed Vaizey, minister for Culture, Communications and the Creative Industries, said he recognised that the delay would “cause uncertainty for businesses and consumers”.

    Cookies are used by websites to save user preferences between visits.
    “Therefore we do not expect the Information Commissioner’s Office (ICO) to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies,” he added.

    Information Commissioner Christopher Graham said: “I cannot bark at the industry at the moment because I have not got the regulations.”

    However, Mr Graham stressed that the government’s confession that the regulations will be delayed should not be a spur to inaction.

    “My message is that this is not your ‘get out of jail free’ card,” he said.

  4. The ICO seems to be looking for best practice examples but not sure that they have any to share with site owners yet. Indeed their own site lobs a number of cookie onto your machine (see ‘Privacy Dashboard’ results in Brian’s post). They do have an extended cookie privacy notice with a section on cookies – see-> http://www.ico.gov.uk/Global/privacy_statement.aspx they have included links to an “About Cookies” web site and also to a Google browser plugin to opt out of analytics. I suspect this will be the short-term solution that everybody takes? Will be interesting to see if the IOC’s cookies vanish by the end of the week or not.

    Also what happens if the website is hosted on a server out-with the EU? Does the legislation still apply? Any legal experts out there?

    Free breakfast seminars on the subject being run by Out-Law.com – http://out-law.com/page-6024 – we will be sending a developer to do some fact finding. May be useful for others who can make it.

    Birmingham Thursday 2nd June
    Manchester Tuesday 7th June
    Edinburgh Wednesday 8th June
    Glasgow Thursday 9th June
    London Friday 10th June FULLY BOOKED
    London (repeat) Tuesday 14th June FULLY BOOKED
    Singapore Thursday 30th June

  5. Slightly confused by the results for us (Warwick) here, volatile as the results are (and worrying, if we were setting 100+ cookies!) we can’t seem to reproduce them here, I get this: http://i.imgur.com/vuNqm.png which seems a more accurate representation!

    With regards to the regulations, we plan to move a lot of our long-lived preference cookies (those that just store which tab was last clicked, etc) to use browser local storage rather than cookies, but the regulation isn’t clear at all on whether this is permissible – it seems to me that the regulation’s aim is to stop tracking that is sent to a third party, but it explicitly mentions Flash LSOs (which aren’t sent to the server at all afaik) as not permissible.

    All still very confusing!

  6. Update on the BBC website – http://www.bbc.co.uk/news/technology-13541250

    Cookie law deferred for one year – UK websites are being given one year to comply with EU cookie laws, the Information Commissioner’s Office has said.

  7. Brian Kelly said

    @Mat Thanks for the feedback – and the image. As I said I did find some changes in the findings when I repeated the analysis. I wonder whether services could be using cookies differently to different client environments? I’ll revisit your site and publish details of the cookies reported bt another Firefox plugin.

    I think the evidence we are collecting is valuable to the community. Of course it may be that there are bugs in the plugins – and many eyes should help to spot such problems.

  8. @Mat I have relaunched my FireFox browser and revisited the page. This time there are fewer privacy factors listed: 0 session cookies, 0 lasting cookies, 0 external lasting cookies, 1 external third party site, 2 external third party session cookies, 8 external third party lasting cookies and invisible images.

    I wonder if there is a bug in the Privacy Dashboard – perhaps failing to clear data from previous uses? I will inform the developer.

  9. Jon warbrick said

    Some brief research suggests the W3C Privacy dashboard may be reporting every cookie currently set in you browser that’s valid for the page you are looking at or any of it’s included content (image, style sheet, JavaScript, frame, etc). So the exact list is going to depend on your browsing history and how long you’ve had this particular browser profile. Listed cookies may no longer be being set, and they may have been set by viewing a different page or (in the case of domain cookies) even by a different server.

    This may go some way to explaining the volatility – probably the best thing to do is to start from a fresh Firefox profile but even this may not give a complete picture unless you first visit every page on your site.

    I think the current ‘correct’ figures for the Cambridge homepage are 1 session cookie [Analytics], 3 lasting cookies [Analytics], ZERO external lasting cookies, one external third party site [www.google-analytics.com for urchin.js], ZERO external third-party cookies. Some further cookies valid for the home page will probably be set by other pages on http://www.cam or elsewhere.

    • Thanks for the comment. I did wonder the same thing myself – I recently encountered a similar bug with the Open Attribute Firefox plugin which seemed to be providing incorrect information on Creative Commons licences. Following discussions with the developer it seems that the plugin was getting data from other tabs in the browser display (this bug has now been fixed). I have notified the developer of the Privacy Dashboard of the inconsistencies I have found – thanks for providing him with a suggestions as to what the problem may be.

      • Jon Warbrick said

        I’m not convinced this is really a bug – the Privacy Dashboard is doing what an end-user might reasonably expect: documenting what potentially privacy-compromising information their browser is returning. The problem is that we are trying to use it for something subtlety different: finding out what potentially privacy-compromising things a site is doing.

        Thinking about this further I think its somewhere from tricky to impossible to automatically discover what cookies (1st and 3rd party) any given ‘site’ is going to set. At the very least it’s going to require spidering every page on the site _and_ retrieving all the embedded content (images, JavaScript, css), and this is still going to miss cookies set by JavaScript (like Analytics seems to do), anything set based on conditions that are not met (e.g. only set if there is an ‘R’ in the month), and anything set by other sites in the same domain. And there are still things like Flash cookies…

  10. [...] initial post was followed by a report on a survey of Privacy Settings For UK Russell Group University Home Pages.  This helped to identify how cookies are currently being used on the institutional home page for [...]

  11. [...] the twenty Russell Group universities was carried out and the findings published in a post on Privacy Settings For UK Russell Group University Home Pages.  Subsequently staff working in institutional web teams across the wider UK higher education [...]

  12. [...] from privacy policies provided by Russell Group Universities (which were surveyed in a post on Privacy Settings For UK Russell Group University Home Pages published in May 2011) together with a number of other universities who provided institutional [...]

  13. [...] May 2011 a survey of Privacy Settings For UK Russell Group University Home Pages was followed by a post which asked How Should UK Universities Respond to EU [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: