UK Web Focus (Brian Kelly)

Innovation and best practices for the Web

Archive for the ‘Legal’ Category

Microsoft Adopts First International Cloud Privacy Standard

Posted by Brian Kelly on 18 Feb 2015


microsoft-adopts-first-international-cloud-privacy-standardOn Monday 16 January 2015 Microsoft announced that they had adopted the first international Cloud privacy standard.

The standard in question is ISO/IEC 27018, the code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.


A ZDNet article entitled “Microsoft adopts international cloud privacy standard” was published yesterday which provided Microsoft’s summary of this development:

… under the standard, enterprise customers will have control of their data; will be informed of what’s happening with their data, including whether there are any returns, transfers, or deletion of their personal information; and will be protected with “strong security” by ensuring that any people processing personally identifiable information will be subject to a confidentiality obligation.

At the same time, Microsoft has ensured that it will not use any data for advertising purposes, and that it will inform its customers if their data is accessed by the government.

Other news announcements included:

The latter article highlights one limitation of the standard: “Microsoft added the new standard forces them to inform users about government access to data, unless the disclosure is prohibited by law“. This seems to suggest that if the UK Government requests data held by Microsoft in their Cloud service conformance with the standard will require them publicise such disclosure; however this would not be the case in the US where such disclosure is seemingly prohibited by law.

Andrew Cormack, in a post on Janet’s Regulatory Developments blog pointed out that Microsoft’s new ISO/IEC 27018 standard covers “their Azure, Office365 and Intune cloud services“. This should be a pleasing development for institutions which are making use of Microsoft’s Cloud services. But here does this leave Google, Amazon and other major Cloud services?

View Twitter conversations and metrics using: [Topsy] – []


Posted in Legal, standards | Tagged: | 1 Comment »

Subverting Copyright (and Other Flawed Legislation)

Posted by Brian Kelly on 4 Nov 2014

Be Informed: Recent Changes to Copyright Law

JISCLegal slide on copyrightLast week Jason Miles-Campbell, manager of the JISCLegal service, gave a talk entitled “Be Informed: Recent Changes to Copyright Law” at the CILIPS Autumn Gathering.

Jason summarised changes to copyright legislation which were approved by Parliament in July 2014 and came into force on 1 October 2014.

The slide (illustrated) Jason used which caught my eye described how:

the fact that our system of communication, teaching and entertainment does not grind to a standstill is in large part due to the fact that in most cases infringement of copyright has, historically, been ignored.

This quotation comes from a post published in 2008. Since the blog asked for its content not to be attributed I will not provide a link (but note that I used Google to find the source of this quotation!)

The quotation came from Sir Hugh Laddie, a British High Court judge, lawyer, professor, and a specialist in intellectual property law who died in 2008. The blog post suggested that:

In the field of copyright, two of Sir Hugh’s articles should be laminated and placed on your desk so they may be re-read often. The first is his 1995 Stephen Stewart lecture, “Copyright: Over-strength, Over-regulated, Over-rated”, published in 18 European Intellectual Property Review 253 (1996).

and went on to describe how Sir Hugh:

criticized the insane criminalization of the economic tort of copyright infringement: “We have … reached the stage where taxpayers’ money is being used to enforce private rights which many might think are more than adequately protected by civil remedies. I should also mention that it appears that in most cases it is not the poor and weak who are using these criminal provisions but the rich and well organised.”

In light of the recent changes to copyright legislation Sir Hugh Laddie’s comment, made that many years ago, that “the fact that our system of communication, teaching and entertainment does not grind to a standstill is in large part due to the fact that in most cases infringement of copyright has, historically, been ignored” could be regarded as demonstrating that flawed legislation will eventually be repealed. However I think this ignores the value of the actions taken not only by those who have pro-actively sought to change the legislation but also the actions taken by those who have ignored legislation which is clearly flawed, in which no or minimal harm is done to others by such action.

A Risk Management Approach to Copyright  Legislation

web2rights risk calculatorSeveral years ago Professor Charles Oppenheim gave a seminar about copyright and institutional repositories at the University of Bath – and terrified the audience when we realised that most of our  work in developing an institutional repository would like infringe copyright.

However in response to a question I posed as to whether copyright concerns would inhibit the development of the repository, Charles said this needn’t be the case: rather there is a need to understand the legal issues but to make an informed decision on actions based on an assessment of the risks and a decision as to whether the organisation was prepared to take the risks.

Charles and I subsequently co-authored a paper on “Empowering Users and Institutions: A Risks and Opportunities Framework for Exploiting the Social Web” in which we documented a framework for making an informed decision in addressing copyright and other issues.

Charles and Naomi Korn subsequently developed a Risk Management Calculator as part of the Web2Rights OER Support Project. As illustrated if you wish to make use of a textual document which wasn’t published with a commercial intent, doesn’t contain clinical content or images of identifiable individuals or children but the provenance and licence of the resource is unknown, there will be risks in reusing the resource, but the risks will be low. In this situation the toolkit concludes “[The] Indicative Risk Value indicates that there is some risk associated with the content that you wish to use. If your organisation is risk adverse and seeking permission or using alternative material then you will need to consider seeking permission or using alternative material.

What Else Have We Subverted?

Beyond copyright there are other examples of supposed legal requirements which can be seen to be flawed, so that ignoring them can be done for those who are willing to take a small amount of risk.

Cookie legislation is one example; since the requirement that users must ‘opt-in’ to use of cookie has been shown to be technically flawed, a pattern of use in which web site owners simply inform visitors that they make use of cookies and document the cookies used and their purpose is now widely accepted as an acceptable practice.

Another example is email disclaimers. A few days ago I received an email message which contained a request for information which could be easily addressed by forwarding the message. However the message contained a legal disclaimer:

Legal disclaimer
The information transmitted is the property of the University of xxxx  and is intended only for the person or entity  to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination and other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer.

Although I am entitled to forward the message it would appear that subsequent forwarding to other who may have to process the request for information is prohibited. But does anyone care about such legal niceties?

Beyond the infringements which many computer users may be guilty of in the early days of the Web creators of HTML pages will have created pages containing links to other Web sites almost certainly without getting permission to create such links. But even back in 2008 there were still discussions as to whether you need permission to link to someone’s content.


Just over  year ago I asked “Do We Want Radical Law-Breaking Librarians?” The background to the post was a BBC News article which described how “UK’s top prosecutor defends journalists who break law in public interest“. The story was about the role of journalists in making information publicly available. Keir Starmer, the director of public prosecutions insisted that it “would be very unhealthy if you had a situation where a journalist felt that they needed to go to their lawyer before they pursued any lead or asked any question“.

The article went on to suggest that library rules which seek to ban use of mobile phones which can be used to make copies of copyrighted resources or take photos of people without their permissions may be counter-productive. I would argue that the welcome changes in copyright legislation have come about not just from the advocacy of organisations such as Jisc and CILIP but also by the risks-takers. Blessed are the risk-takers for they set the path for others to follow!

Note: A few hours after this post was published Andrew Cormack alerted me to an article published less than a week ago which described how the CJEU rules on whether ‘framing’ amounts to copyright infringement:

On 21 October 2014 the CJEU had to decide in the case of Bestwater whether embedding content in a website via “framing” constitutes “communication to the public” within the meaning of Article 3 of the InfoSoc Directive [1] and therefore infringes the copyright of the creator of the content.

The article goes on to explain:

The CJEU has now made it clear that linking does not constitute a “making available to the public” (or any other form of communication to the public), irrespective of which linking technique is used as long as the link leads to a website that is available to the public as a whole.

This decision drew on a previous ruling:

where it had already decided that hyperlinks do not constitute a “making available to the public” provided the link is to content that is freely and lawfully available online.

Or, in brief, you can link to Web resources and embed Web content in frames provided that the content itself is freely and lawfully available online. You can now, it would seem, create links from your Web pages to such resources without having to worry too much about the legal ramifications. Of course, you may have been doing this already, before the legal ruling was made!

View Twitter conversations and metrics using: [Topsy] – []

Posted in Legal | Tagged: | Leave a Comment »

Don’t Leave Instagram (or Facebook, Google Drive, …) Until You’ve Considered the Implications

Posted by Brian Kelly on 17 Jan 2013

New Year: An Opportunity to Delete Social Media Accounts!

A few days ago I received the following email from Instagram:

As we announced in December, we have updated our Terms of Service and Privacy Policy. These policies also now take into account the feedback we received from the Instagram Community. We’re emailing you to remind you that, as we announced last month, these updated policies will be in effect as of January 19th, 2013. 

That’s right, as of Saturday 19th January 2013, the new terms and conditions come into operation.

Did you delete your Instragram account before Christmas, once you saw the tweets and the blog posts about how Instagram intended to sell the photos you have taken of your loved ones? Perhaps you made a new year’s resolution to cancel subscriptions to services for which you don’t pay a subscription, so that “you’re the product“. Or maybe you have taken the opportunity to delete accounts which you simply don’t use perhaps Google+ appeared promising when it was launched but it hasn’t found a place in your regular workflow.

Are You Making An Informed Decision?

Is your decision based on a correct understanding of the appropriate policies? Are you aware of the possible risks in deleting social media account?

Back in April 2012 a post which asked Have You Got Your Free Google Drive, Skydrive & Dropbox Accounts? was written in response to a tweet from @sydlawrence which said:

Holy crap. Google owns everything on google drive. Tell me a business that will use it… … 

which linked to the following screenshot of the Google Drive terms and conditions:

Google Drive terms and conditionsThe screenshot quite clearly states that “You retain ownership of any intellectual property that you hold in that content. In short, what belongs to you stays yours“. It’s therefore not surprising that the image was subsequently deleting – but not before the post was retweeted 1,109 times and favourited by 115 Twitter users!

This provides a good example of how an incorrect summary (whether through a mistake or malicious intent) of the terms and conditions of a service can be easily repeated and, through Twitter’s power in viral communications, lead to such misinformation being widely accepted as the truth.

The situation with Instragram is not as clear-cut since the company have admitted their failings:

it became clear that we failed to fulfill what I consider one of our most important responsibilities – to communicate our intentions clearly 

and explained how, in the light of user feedback (emphasis provided in original):

we are reverting … to the original version that has been in effect since we launched the service in October 2010

Instragram now echo Google in providing an unambiguous statement regarding ownership of content uploaded to the service:

Instagram has no intention of selling your photos, and we never did. We don’t own your photos – you do.

So if you deleted your Instagram account because you had been led to believe that you were losing ownership of your content or your content could be sold without your permission then your made this decision based on incorrect assumptions!

Further Thoughts on Deletion of Social Media Accounts

“If you’re not paying for something, you’re not the customer; you’re the product”

Back in November 2010 a post on the LifeHacker blog gave the background to the statement If You’re Not Paying for It; You’re the Product:

This particular quote comes from a discussion on MetaFilter, regarding the massive changes at the social aggregation news site Digg earlier this year. MetaFilter user blue_beetle accurately observed that “if you’re not paying for something, you’re not the customer; you’re the product being sold”. This sentiment doesn’t just apply to unhappy Digg users but to a significant portion of the online experience and many real life interactions.

I’ve commented previously on the flaws in this argument: I didn’t pay for my education as a child – does this mean that I’m simply a product of the capitalist system which will seek to exploit me as a worker and provide free health care so my productivity is maximised? Similarly I don’t pay to watch ITV; in this case the adverts are the TV companies’ key services which I am encouraged to consume, with the TV programmes filling the gaps between the advertising breaks.

In reality many of the social media service seek to monetise the ‘attention data’ in order to make a profit, as well as cover the costs of providing the services. Like many people, although by no means everyone, I am prepared to accept this environment and have not chosen to purchase a premium account which many social media companies provide for those who wish to avoid seeing advertising materials.

I am not alone in my views on the phrase. The Powazek blog contained a post entitled I’m Not The Product, But I Play One On The Internet which was published in December 2012 which described how:

But the more the line is repeated, the more it gets on my nerves. It has a stoner-like quality to it (“Have you ever looked at your hands? I mean really looked at your hands?”). It reminds me of McLuhan’s “the medium is the message,” a phrase that is seemingly deep but collapses into pointlessness the moment you think about using it in any practical way. 

The post concludes:

we should all stop saying, “if you’re not paying for the product, you are the product,” because it doesn’t really mean anything

There will be legitimate reasons why you may chose not to use a service because you are unhappy with their terms and conditions – but such decisions should be made because of an informed decision and not just because you aren’t paying for the service.

Social Media Accounts Which Aren’t Being Used

But beyond the issue of the terms and conditions, should you delete an account because it is little used? Although this would appear to be a sensible decision there is a need to consider the associated risks.

Back in January 2011 a post on Evidence of Personal Usage Of Social Web Services described the long gestation period for services such as Twitter. As I concluded “in the case of Twitter it was only after two years of first using the service that it became embedded in my working practices” – there was a need to have (a) have a critical mass of Twitter followers with whom I could engage with; (b) have more effective tools than the Twitter Web client I used initially and (c) have a compelling use case which convinced me of the value of the service (this turned out to be use of Twitter at a conference when I was away from the office for a period and meeting new people).

I would admit that I have not yet found a compelling use case for Google+. But I will keep the account, partly because the account is used to authenticate myself with other Google services. But in addition I would not wish to miss out on the occasional use I do make of Google+ or to have to rebuild a Google+ community if I delete the account and subsequently find uses for the service.

Similarly my Facebook account provide an address book for friends and colleagues and a means of keeping in touch beyond annual Christmas cards. But in addition, as I suggested in a post which asked What Could Facebook’s New Search System Offer Researchers? recent Facebook developments, such as the Facebook Graph Search, may provide new opportunities which could be of value to me. Stephen Downes on the OLDaily blog has commented that:

A graph search makes sense, and would eventually provide better results than Google, but it really depends on people being engaged enough with Facebook to generate useful data, and that is far from clear. More from E-Commerce TimesSocial Media TodayBBC NewsMashableBrian KellyClickZTechnology ReviewBen WerdmullerWired News..

I agree that it is unclear whether Facebook will have sufficient momentum to provide a useful service; for me, this is also true of Google+. However I have judged the risks of continuing to use the services as low, with the loss of my networks on such services meaning that it would be difficult and time-consuming to regenerate such networks if the services did turn out to be useful.

I have summarised the decisions I have made and the rationale behind the decisions. Have you chosen to delete any social media accounts? Or have you considered deleting accounts and decided not to? I’d welcome your thoughts.

PS: A tweet from @digisim reminded me that I had intended to also add that one reason for subscribing to social media services which aren’t used is to claim your username. I have claimed briankelly on the service in case that service (touted as an open alternative to Twitter) ever takes off. However as I have only posted four times since July 2008 and only have 12 followers it seems unlikely that the service will take off.

View Twitter conversation from: [Topsy] | View Twitter statistics from: []

Posted in Legal, Social Web | 19 Comments »

IWMW 2012 and the Cookie Monster – 28 Days Later

Posted by Brian Kelly on 17 Jul 2012

The IWMW 2012 event took place on 18-20 June.  One of the most popular of the parallel sessions sought to explore ways in which institutions should be Responding to the Cookie Monster. As described in the abstract:

Are our desires to develop user-focussed and personalised Web services in tatters in light of UK legislations which requires providers of Web services to ensure that users have opted in to use of cookies? After all the evidence from the experiences of the ICO (Information Commissioner’s Office) web site seems to suggest that users won’t opt-in and without web analytics and storing user preferences in would appear impossible to develop such services?

This interactive workshop session will explore the background to the legislation and the guidance issued in December 2011 by the Information Commissioner’s Office.

The session will address some of the key points from the guidance document, including the need for auditing cookie usage and ensuring users are informed in a clear and understandable fashion of why cookies are being used.

This session will provide an opportunity for participants to describe approaches being taken locally and explore best practices which may be used within the sector.

This was popular not only in terms of the large numbers of people who booked for the session but also going the evaluation received for the session, with the session receiving an average score of 4.09 on a scale of  1 = poor to 5 =excellent.  The comments made on the session included:

  • Being relatively new to the sector, this is the point at which it dawned on me that there’s a huge support network for HEIs. I’d heard of JISC and UKOLN before but didn’t appreciate that when it comes to sector-wide issues – cookie law being a case in point – there’s a heap of work being done by some very knowledgable people which negates the need for us to reinvent the wheel in isolation.”
  • Made me all warm and tingly…
  • Claire is an inspiration for women working within a male dominated industry and I will certainly be watching that space to keep up with the Cookie Monster developments.
  • Very interesting hearing from JISC Legal and from other institutions about their approach.

The session was facilitated by Claire Gibbons, Senior Web and Marketing Manager at the University of Bradford and John Kelly, Principal Legal Information Specialist with JISC Legal. Prior to the IWMW 2012 event I had worked with Claire and John in order to help develop and share best practices for responding to the ‘cookie’ legislation.  This work included writing posts on this blog on:

together with an article published in JISC Inform in Spring 2012 which asked The new cookie laws: how aware are you?
The work included analysis of the emerging cookie policies and approaches which were being taken initially across the 20 Russell Group universities, which was subsequently extended to other institutions who were willing to update a Google Spreadsheet with links to their cookie policies.
The blog posts which were published between December 2011 and May 2012 sought to make others aware of the advice and guidelines being developed by the ICO and suggest how the guidelines could be interpretted by those working in the higher education sector.  It was suggested that providing a clear policy on how cookies are being used could be an appropriate response to the legislation, and that institutions may not be required to deploy an opt-in widget across pages on institutional web sites.  A few days before the legislation was implemented the government confirmed that such implied consent would be acceptable.

Looking at the cookie policies for the institutions for which links to their policy pages had been provided it seems that all 29 institutions appeared to have taken this implied consent approach. If you view the following pages you should not be presented with a ‘cookie alert’ widget which, it seems, causes annoyance to users who encounter them:

AberdeenAbertayAberystwythBathBirminghamBirkbeckBradfordBristolCambridgeCardiffCranfieldEdge Hill – EdinburghGlasgowKing’s College LondonLeedsLiverpoolLSEManchesterNottinghamOxfordSheffield – Sheffield HallamStaffordshoreUCLAN  – UCLUWE – WarwickYork

What, then, have we learnt 28 days after the session on Responding to the Cookie Monster took place? I would suggest the following points should be considered, even if they may appear to be counter-intuitive:

  • It can be risky to implement policies based on a worst case interpretation of legislation.
  • Implementing expensive technical widgets which turn out to be inappropriate may lead to risks that the tabloid press issue FOI requests for the costs of implementing such solutions.
  • It can be advisable to follow approaches taken by one’s peers, rather than developing an implementation plan in isolation.

Might, then, the cookie monster have turned out to be benign, but, just as with the Y2K bug, the costs in developing a solution turning out to be the true monster! Wikipedia suggests that the ” total cost of the work done in preparation for Y2K is estimated at over US$300 billion” – although there is a dissenting view. In comparison a Wired article published in April 2012 suggested that Compliance with EU cookie law could cost the UK £10 billion.

I’ll conclude by making a point I’ve made previously: there are legitimate needs to address online privacy concerns. However the cookie legislation was a fundamentally flawed approach at addressing such concerns: in many respects cookies provide benefits to end users and the cases which users object to (searches for content being reused in adverts hosted on other web sites which share advertising services)  tend, in any case, not to be used across institutional web sites.

It would appear that the Do Not Track standard will provide an appropriate technology for legislations to adopt. Institutions should ensure that they gain an understanding of the standard and how it can be used, in particular, develop a browser upgrade plan to ensure that browsers managed within the institution support this standard. The comment described above is worth repeating: “there’s a heap of work being done by some very knowledgable people which negates the need for us to reinvent the wheel in isolation” – so let’s ensure that even more institutions follow the approaches taken by those listed above and have a common approach to addressing legal drivers for the provision of online technologies.

I’ll conclude by providing a link to a YouTube video entitled “The Cookie Law – 28 Days Later” which  gives a similar view of the flaws of the cookie legislation:

Posted in Legal | Leave a Comment »

Why I Welcome the Government’s Business-Friendly Approach to Cookies

Posted by Brian Kelly on 26 May 2012


A year ago today I wrote a post entitled How Should UK Universities Respond to EU Cookie Legislation? The post was published a few hours before the cookie legislation was originally intended to come into force, but as I said in the post:

The good news is that the ICO has recognised the complexities in implementing this legislation. As described on the BBC Web site:

UK websites are being given one year to comply with EU cookie laws, the Information Commissioner’s Office has said.

The UK government also sought to reassure the industry that there would be “no overnight changes”.

A year later the legislation has now come into force – and, as reported in the Guardian a few hours’ ago “Cookies law changed at 11th hour to introduce ‘implied consent‘”. The article went on to describe how:

In an updated version of its advice for websites on how to use cookies – small text files that are stored on the user’s computer and can identify them – the Information Commissioner’s Office (ICO) has said that websites can assume that users have consented to their use of them.

The advice was only updated on Thursday, 48 hours before the deadline for implementing the new rules, and published the next day.

I have to say that I am pleased with this news. In an article entitled The new cookie laws: how aware are you? published in the JISC Inform newsletter I suggested that the priorities for institutions should be to audit their use of cookies, analyse how the cookies are being used, provide clear and prominently information about the use of cookies and “devise an appropriate mechanism for obtaining informed consent from your web site users”. In April a post on How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation? surveyed the approaches which had been taken by 30 universities – and the majority seemed to have taken the approach of documenting their use of cookies and explaining the purposes of the cookies.

In some quarters it was suggested that since the legislation required users to opt-in to use of cookies, web sites would need to provide a form at the top of every page requiring users to manually verify that they were willing to accept cookies. However as I highlighted in a post on The Half Term Report on Cookie Complianceon 13 December the ICO, announced a new set of Guidelines on the Rules on use of Cookies and Similar Technologies (available in PDF format) in a blog post entitled Half term report on cookies compliance. And it seems that they have taken a pragmatic approach which describes realistic and implementable solutions for Web site managers.” Some time ago I came across a discussion about the cookie legislation which suggested that Francis Maude, Minister for the Cabinet Office, would be looking for a ‘business-friendly’ solution to privacy concerns. I will not be alone in thinking the a Conservative Minister talks about ‘business-friendly solutions’ this means large pay rises for senior managers along with loss of pension rights and job security for workers. However in this case, although the solution is friendly for those working in the commercial sector, it is also a desirable solution for those of us who work in the education and other public sector services. The ones who will lose out are probably those who paid attention to the scare-mongers are have implemented clunky opt-out interfaces on their web sites or have withdrawn services, such as Google Analytics, which provided useful information which can help improve the quality of the service to the user community.

Of course, the legitimate privacy concerns which led to the EU directive have not been solved. But the EU directive was a flawed approach to addressing both the complexities of online privacy and the technical challenges in implementing solutions. However standards-based solutions are currently being developed, in particular the Do Not Track standard. As described on the Web site:

Do Not Track is a technology and policy proposal that enables users to opt out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms.

As described in Wikipedia:

The do not track header is a proposed HTTP header field that would request a web application to disable their tracking of a user. The “Do Not Track” header was originally proposed in 2009 by researchers Christopher Soghoian, Sid Stamm, and Dan Kaminsky. It is currently being standardized by the W3C.

In December 2010, Microsoft announced support for the DNT mechanism in its Internet Explorer 9 web browser. Followed by Mozilla’s Firefox,Apple’s Safari and Opera all later added support. It is not currently supported by Google Chrome, but will be incorporated by the end of 2012.

This will provide a standards-based way for users to manage their online privacy. Support for this proposed standard was announced recently by Twitter: as reported in the Guardian:

Twitter announced that it will officially support “Do Not Track,” a standardised privacy initiative that has been heavily promoted by the US Federal Trade Commission, online privacy advocates and Mozilla, the non-profit developer of the Firefox web browser.

The question now will be whether institutions feel this is an approach which should be deployed and, if so, how it will be implemented. Institutional responses to online privacy issues aren’t over just because a privacy policy has been published on the institution’s web site!

Finally in case people feel that they should be following the letter of the law, I suggest you take a look at the privacy policy for Francis Maude’s web site which states:

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.

and goes on to add:

If you’d like to learn how to remove cookies set on your device, visit:

The video clip on “How government websites use cookies” provided by and hosted on YouTube also makes it clear that the Government’s view is that cookies provide value to the online environment. I agree with this, and hope that the Government will be proactive in adopting the Do Not Track standard to address the still unresolved issue of online privacy. I’ll conclude with a sentence I didn’t expect to write: “congratulations to Francis Maude on the approaches taken by the Government in responding to the flaws in the EU Directive“!

Posted in Legal | 2 Comments »

Terms and Conditions for Online Services

Posted by Brian Kelly on 27 Apr 2012

As described in the post on Have You Got Your Free Google Drive, Skydrive & Dropbox Accounts? the announcement of the release of Google Drive generated much discussion, a fair amount of which was due to misinformation about Google’s alleged claims of ownership for content uploaded to Google Drive. However although statements that “Google claim ownership of content uploaded to their service” are clearly wrong, concerns that the terms and conditions can give service providers control over your content and your use of the service in ways you do no approve of do have some validity.

In order to gain a better understanding of possible concerns, but also the reasons why service providers may use such clauses, I have documented some of the terms and conditions of services I use in the table below.

No.  Terms and Conditions
1 Statement: We may update these Terms (including our Privacy Statement) from time to time. Changes will have immediate effect from the date of posting on this Site and you should therefore review these Terms regularly. Your continued use of this Site after changes have been made will be taken to indicate that you accept that you are bound by the updated Terms.How they will justify the statement: We may need to change the terms and conditions in light of changing circumstances.

What they could mean: Once we’ve got you hooked, we’ll claim your first born!

2 Statement: [We] reserve the right to amend the Acceptable Use Policy at any time without notice. If the policy is amended then all list owners will be informed and they may distribute the information to list members.How they will justify the statement: We may need to change the terms and conditions in light of changing circumstances.

What they could mean: Once we’ve got you hooked, we’ll claim your first born – but unlike the other service, we’ll tell you about it.

3 Statement: Unacceptable use: … Creation or transmission of material such that this infringes the copyright of another person.How they will justify the statement: We want to ensure that we aren’t sued for copyright infringement.

What they could mean: If we don’t like what you’re doing we can use copyright clause to get rid of you.

4 Statement: You must not use … computing services for the creation, collection, storage, downloading or displaying of any offensive, obscene, indecent or menacing images, data or material capable of being resolved into such.How they will justify the statement: This is self-evident.

What they could mean: Our lawyers tell us we can use the “material capable of being resolved into such” to scare people.

What are your thoughts on these terms and conditions?

I should add that a Verge article which asks Is Google Drive worse for privacy than iCloud, Skydrive, and Dropbox? carried out a more details comparison of the terms and conditions for Google Drive, Skydrive, Dropbox and iCloud services and concludes:

in order to run a massive online service that handles tons of user data, you need a lot of permissions from those users. Those permissions are fairly standardized, since the underlying copyright law itself is static — companies like Microsoft and Google need permission to copy and distribute your content to servers around the world to make services like Drive and SkyDrive work well. There’s also a tension between friendly language and legal precision — drawing in sharp lines often requires aggressive wording, while there’s real comfort in vagaries.

In the end, though, the actual wording of these documents doesn’t reveal much — they all set out to do the same thing, and they all accomplish their goals. What’s most important is how much trust you’re willing to give companies like Google, Microsoft, Apple, and Dropbox as more and more of your data moves to the cloud. Contracts are meaningful and important, but even the most noble promises can easily be broken. It’s actions and history that have consequences, and companies that deal with user data on the web need to start building a history of squeaky-clean behavior before any of us can feel totally comfortable living in the cloud.

I suspect the recent flurry of tweets about the Google Drive terms and conditions wasn’t really about the terms and conditions themselves (which apply to all Google services) but were really a statement from people who don’t trust Google.

Posted in Legal | Leave a Comment »

Have You Got Your Free Google Drive, Skydrive & Dropbox Accounts?

Posted by Brian Kelly on 24 Apr 2012

A few hours ago I visited Microsoft’s Skydrive Web site in order to see if I was entitled to the free upgrade from 7Gb to 25 Gb of storage. As an existing Skydrive users it seems that I was so I’m pleased that I have additional storage space which I can use for transferring files between my mobile devices (iPod Touch and Android phone) and desktop computers. As I describe in a recent post on Paper Accepted for #W4A2012 Conference Skydrive has proved particularly useful for working with my co-authors of the final versions of a peer-reviewed paper which was produced using MS Word.

Whilst installing the Skydrive tool on my PC I noticed a tweet which announced that Google Drive had been released. Google Drive, like Skydrive and Dropbox (the utility I normally use for shipping files between various devices) provide cloud storage – and, as described in a BBC News article, Google Drive offers up to 16TB of storage with 5Gb for free – not as much as Microsoft’s offering but, to be fair, I’m getting that deal as an early adopter.

Shortly after the initial tweet I encountered the scepticism with a tweet from @sydlawrence saying:

Holy crap. Google owns everything on google drive. Tell me a business that will use it… … 

which linked to the following screenshot of the Google Drive terms and conditions:

There is clearly a discrepancy between the tweet and the terms and conditions: how is “Google owns everything on google drive” reconciled with “You retain ownership of any intellectual property that you hold in that content. In short, what belongs to you stays yours“?

But if we ignore such hyperbole, what should we make of the terms and conditions page which states:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.

Although it was truncated in the screenshot I should add that the terms and conditions went on to say that:

 The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. 

Indeed, as I asked on Twitter in a different context though related to terms and conditions for social media service, what should we make of terms and conditions which state:

We may update these Terms (including our Privacy Statement) from time to time. Changes will have immediate effect from the date of posting on this Site and you should therefore review these Terms regularly. Your continued use of this Site after changes have been made will be taken to indicate that you accept that you are bound by the updated Terms.

My view is that I will use these three Cloud storage services for both personal and work-related activities. I’m pleased that Google have been open about the fact that they may modify my content as this will include compressing my files – a Cloud storage service which did not do this would be guilty of using energy unnecessarily: something which should not be done in light of global warming concerns.

I’m also happy if Google decide to explore ways in which they can monetise my attention data, just as Facebook do when they observe my interests in beer and sport and present me with a personalised ad.

But what if they use the terms and conditions to take a copy of my content and sell it on? I don’t think this is likely, but I do accept that it is risk. I will therefore assess such risks when I make use of the service – and would advise others to take a similar approach if they store content on the service. But I’m also aware of the missed opportunity costs if I don’t use such services.

So I’ll use Google Drive, once I’ve been given access to the service. What about you?

Twitter conversation from Topsy: [View]

Posted in Legal, Web2.0 | 15 Comments »

How is the Higher Education Sector Responding to the Forthcoming Cookie Legislation?

Posted by Brian Kelly on 16 Apr 2012

A post published in February recommended Next Steps In Addressing Forthcoming Cookie Legislation and described how the sector can benefit by sharing approaches on how institutions are responding to the cookie legislation, which comes into force on 26 May.

In order to help identify the ways in which institutions are advising visitors to their web sites on institutional policies on cookie usage a summary of interesting highlights from privacy policies provided by Russell Group Universities (which were surveyed in a post on Privacy Settings For UK Russell Group University Home Pages published in May 2011) together with a number of other universities who provided institutional details to a Google Spreadsheet on UK HEI Privacy Policies is given in the following table.

Note that the information provided in this table given below was collected on 13-16 April 2012.

Ref. No. Institution Privacy Policy Linked from
Home page?
1 University of Aberdeen Privacy statement Y Introduced by stating “This policy explains what information is gathered from web clients visiting the University of Aberdeen’s central web server, and how that information is used.
2 University of Aberystwyth Cookie Policy Via link to Terms and Conditions Explains cookies in plain language and describes use of cookies for “(1) To retain the language choice and user type as defined on the Preferences page and (2) To collect detailed web site usage data
3 University of Bath Privacy statement  Y Covers collection of personal data and use of email and online forms as well as use of cookies.
4 Bath Spa University Website terms and conditions of use  Y Provides detailed information on specific cookies. Explains why Google Analytics is used and how users can opt out.
5 University of Birmingham Privacy Y Has sections on What information is collected? and What we do with the information?
6 University of Bristol Privacy and cookie policy Y Has sections on Information that we collect from you and your use of this website; How we use your information; How we handle the data submitted by you; Links to external web sites and How to contact us. with additional link to Use of cookies on the University’s website page.
7 University of Cambridge Privacy policies for services  Y Provides links to privacy policy for specific services.
8 Cardiff University Privacy policy Y Explains how “Cookies are also used to compile general (not personal) site usage statistics. Cookies are not used to capture or store personal information for any other purpose.” and explains that “Other pages that are linked to from the main Cardiff University sites may have a separate privacy policy, including some Academic School, Research Centre and project-orientated websites“.
9 Cranfield University Privacy Via Legal link Explains how “The “Cookie” allows us to track visitors through the website but does not include any personally identifiable information. With most Internet Browsers, you can erase “Cookies” from your computer hard drive, block all “Cookies”, or receive a warning before a “Cookie” is stored.“.
10 Edge Hill University Privacy statement  Y Address data protection issues rather than use of cookies.
11 University of Edinburgh Website privacy policy  Y Has sections on Information that we collect from you; Use of your information; Storage of your information; Disclosure of your information and IP addresses and cookies.
12 University of Glasgow  Privacy statement  Via link to  Disclaimer Provides an explanation of cookies and describes how they are used with Google Analytics.  Describes how Google may use the information collected and explains how cookie can be disabled.
13 Imperial College  –  N  –
14 King’s College London Privacy statement Via link to Terms and Conditions of Use Has sections on How do we collect information?; What information do we collect?; How do we use this information?; Do we use ‘Cookies’?; How do we protect personal information?; Will we disclose the information we collect to outside parties? and Your Consent. Has link to detailed page on Cookie use at King’s College London.
15 University of Leeds Privacy statement Y Has sections on Purpose of this statement; Automated collection of personal information; Non-automated collection; Third-party access; Cookies; Google Analytics and Changes to this statement.
16 University of Liverpool  Personal information on the web  Via link to Legal, Risk & Compliance Has sections on What information is collected, and how is it used?; Cookies (including link to All About Cookies); Security and Requests for Access.
17 London School of Economics Terms of use  Y Section on cookies explains what they are; describes how the “Website does not use cookies to store personal data. Cookies are used to store a unique reference number for each visitor to the Website, which allows one visitor to be distinguished from another“; provides links to All About Cookies and, and states that “if a User sets up his or her browser to reject the cookie, he or she may still use the Website, although functionality may be impaired“.
18 University of Manchester  Privacy  Y States that “Some parts of The University of Manchester website use cookies for security purposes (eg to save the user from having to re-enter their details for every page in a section of the site). Cookies are not used to capture or store personal information for any other purpose, and all cookies are deleted as soon as a session is ended. You may choose to refuse cookies by disabling them using your web browser.
19 Newcastle University  – N  –
20 University of Nottingham Privacy  Y Has sections on Information we collect; How we may use the information; Cookies; Security Access Requests and Security.
21 University of Oxford  Privacy Policy  N Has sections on Information collected and How the information collected is used.
22 Queen’s University Belfast N  –
23 University of Sheffield Privacy Policy Y Has sections on Information we collect as you browse our web site; About Cookies; About Spotlight tags; Use of optional information; Future developments and Security.
24 Sheffield Hallam University  Privacy Policy Y Has sections on Use of information provided by visitors; Security; Cookies and Inaccurate data.
25 Staffordshire University  Protecting Privacy on Data Transmission over the Internet Via link to Legal Has sections on What information is collected and What do we do with the information?
26 University of Southampton Privacy Policy  Via link to Terms and conditions Has sections on Information the University May Collect From You; IP Addresses and Cookies (including link to All About Cookies ); Storing your Personal Data; Uses made of the Information; Disclosure of your Information and Access to Information
27 University College London  Privacy  Y Has links to Data Protection but not use of cookies.
28 University of Warwick Website terms and conditions Y The privacy statement explains “what types of personal information will be gathered when you visit the University of Warwick’s web site and how this information will be used. Please note that although Warwick’s web site provides links to other web sites, this policy only applies to the University’s web pages (ie. those ending in
29 University of West of England Legal Statements
Y Has information on What are cookies?; Which type of cookie does UWE use?; UWE cookies and personal information; Blackboard; Web metrics; Can I turn off UWE cookies? and What happens if I switch off UWE cookies?.
30 University of York Legal Statements Y The Privacy section describes use of cookies with Google Analytics.

Moves Towards Pragmatism

The approaches which are being taken appear to reflect the pragmatic guidance which has been provided recently.

The post on The Half Term Report on Cookie Compliance drew attention to the ICO’s Guidelines on the Rules on use of Cookies and Similar Technologies (available in PDF format) which seemed to appreciate the difficulties which institutions may face in implementing policies and practices which conform with legal requirements (“The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers“). The guidelines made clear the importance of making web site visitors aware of reasons why personal information is being gathered and used: “A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available“.

The emphasis on providing appropriate information rather than implementing technical solutions was highlighted last week in a post on Enforcement of cookie consent rules for analytics not a priority, ICO says published on, a Web site which provides legal news and guidance from Pinsent Masons, an international law firm. This article began:

The UK’s data protection watchdog is not likely to take action against the users of data analytics cookies on websites even if they fall foul of new EU rules on cookie consent, it has said. 

A statement from the ICO said:

… it is highly unlikely that priority for any formal action would be given to focusing on uses of cookies where there is a low level of intrusiveness and risk of harm to individuals.

It should also be noted that the International Chamber of Commerce (ICC) UK has issued new guidance (15-page / 296KB PDF) on cookies. The guidance, which has been welcomed by the ICO, contains information on the different categories of cookies that website operators use and when consent to those cookies will be required to be obtained. From this document I learnt that:

The Government and the ICO have said that browsers will be an important part of giving users the increased access

It seems that the government does have an understanding of the need for technical privacy standards such as the W3C’s Tracking Protection Working Group which aims to “improve user privacy and user control by defining mechanisms for expressing user preferences around Web tracking and for blocking or allowing Web tracking elements“.

The ICC’s guidance document also helpfully defines four categories of cookies:

  1. strictly necessary cookies
  2. performance cookies
  3. functionality cookies
  4. targeting cookies or advertising cookies

The document adds that “we are keen to ensure that these categories do not become entrenched but rather evolve as industry discovers cookies that need more accurate categorisation” which again emphasis the realistic approaches which are being taken.

I might add that I suspect that concerns regarding privacy issues and c0okies will primarily focus on targeting cookies and advertising cookies, with cookies which are

  • strictly necessary “in order to enable you to move around the website and use its features, such as accessing secure areas of the website“;
  • performance cookies which “collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages” and
  • functionality cookies which “allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features

will not be the prime area of concern for the ICO (although I should add that IANAL) .


Note click for enlarged view of University of Sheffield’s Privacy Policy

When I started writing this post I was intending to comment on the patterns which we can see starting to develop. These include:

  • The ways of addressing privacy policies in a very distributed environment, as can be seen in the approach taken at the University of Cambridge.
  • The detailed technical information about specific cookies which is being provided at institutions such as Bath Spa and King’s College London.
  • The commonly used sections provided in Privacy policy pages such as the Privacy Policy at the University of Sheffield, which is illustrated.
  • The ways in which use of Google Analytics is documented, such as can be seen at Bath Spa and the University of Leeds.
  • The ways in which users are advised to disable Google Analytics, such as can be seen at the University of Glasgow.
  • The popularity of the All About Cookies service for further information about cookies.

However in light of ICC’s guidance document and its endorsement by the ICO it does occur to me that it would be useful for institutional privacy policies to make use of the language provided in this document. This suggestion might be particularly relevant for those institutions which do not appear to provide a privacy policy which can be easily found from the institution’s home page!

At the IWMW 2012 event, to be held at the University of Edinburgh on 18-20 June, Claire Gibbons (University of Bradford) and John Kelly (JISC Legal) will be running a 90 minute session on Responding to the Cookie Monster. I wonder if the cookie monster will turn out to be not as scary as we first feared?

Twitter conversation from Topsy: [View]

Posted in Legal | 10 Comments »

Are Attitudes Towards Privacy Changing?

Posted by Brian Kelly on 29 Feb 2012


Liz Lyon, UKOLN Director, recently gave a talk on “The Informatics Transform: Re-engineering Libraries for the Data Decade” at the VALA 2012 conference held in Melbourne, Australia.

The abstract for the talk describes how:

This talk will present a case for a new and transformative library paradigm which delivers innovative informatics services to support data-intensive research. It will draw on cutting-edge exemplars from open data initiatives, public participation and citizen science, socio-ethical challenges with personal data, policy drivers, emergent scholarly communications and research impact metrics /tools, all of which are radically changing the research landscape. The presentation will explore how libraries can respond to these challenges with novel informatics services, new data support roles and pioneering strategic partnerships.

I was particularly interested in the “socio-ethical challenges with personal data” address in the talk. In the talk (and note that a recording of the talk is available) Liz described how a genome kit can be purchased for $99 (or, I discovered, from £59 in the UK).

It seems there are a number of DNA tests which can be carried out including paternity tests, forensic tests and ancestry tests. The DNA ancestry test enables you to:

Discover your deep ancestral roots using genetic genealogy. Find out where your ancestors came from, discover their ethnic background, and trace the roots of your surname.

If you order the test:

Your collection kit will have everything that you need to collect a DNA sample from inside your mouth. It’s fast, painless and simple and very similar to brushing your teeth. The entire process takes just seconds to complete. 

Does that seem appealing or does it fill you with horror? Do you really want to discover such information which would never have been previously available? And although your personal information may be confidential, will anonymised  findings be aggregated to reveal patterns of Viking ancestry around the UK?

In her talk Liz remarked on the privacy implications of such technical developments. Liz went on to report on a Nature survey which, as illustrated below, showed that “Nature readers flirt with personal genomics“. As described in the article:

Nature readers are eager to adopt these new technologies. About 18% report having had their genomes analysed in some way, ranging from whole-genome sequencing (about 10 respondents, after correcting for reporting errors) to direct-to-consumer tests. Of the remainder, 66% say they would have their genome sequenced or analysed if the opportunity arose.

I do wonder whether we are starting to see significantly changing attitudes developing towards privacy issues as technology drives developments not only for genome analyses but also, and more relevant to this blog, revelation of private information whether directly or, through aggregation of data, indirectly?

It seems to me that the forthcoming ‘cookie’ legislation will help to gain an understanding of the general public’s concerns over privacy issues. Those who developed the EU cookie directives felt it was important to ensure that users of web sites are made aware of personal information which is stored in cookies. But cookies have been with us since 1994. What if the cookie legislation, and the requirement for users to opt-in to cookies, results in a backlash, with people wishing to go back to the simplicity of today’s environment in which cookies are invisible to most people. It will be interesting to see how users will respond. And I should add that I’m saying this as someone who has a Facebook account and who, several years ago, installed the a Firefox plugin which enables me to block cookies – but has never done so. Indeed using the plugin for the first time in ages I notice that there are currently 18 cookies set. Am I bothered? The answer is no. Should I be? You tell me. Do you block cookies?

Posted in Legal | Tagged: , | 5 Comments »

Next Steps In Addressing Forthcoming Cookie Legislation

Posted by Brian Kelly on 20 Feb 2012

The Forthcoming Cookie Legislation

We all need our privacy!

On 26 May 2011 I asked How Should UK Universities Respond to EU Cookie Legislation? The post was published the day before UK government legislation based on the EU Directive requiring users to opt-in to cookie use was due to come into force. However in light of the government’s awareness of the difficulties in conforming with the legislation, the Information Commissioner’s Office (ICO) announced that UK websites were to be being given one year to comply with EU cookie law. But May 2012 is now only three months away, so how are UK Universities responding?

As described in a post on The Half Term Report on Cookie Compliance in December 2011 the ICO published a new set of Guidelines on the Rules on use of Cookies and Similar Technologies (available in PDF format) which seemed to appreciate the difficulties which institutions may face in implementing policies and practices which conform with legal requirements (“The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers“), but made it clear of the importance of making web site visitors aware of reasons why personal information is being gathered and used: “A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available“.

One of the key challenges will be in developing policy statements regarding information which is gathered and stored in cookies.

Learning from Current Practices

Back in May 2011 a survey of cookie use across the twenty Russell Group universities was carried out and the findings published in a post on Privacy Settings For UK Russell Group University Home Pages. Subsequently staff working in institutional web teams across the wider UK higher education sector were invited to provide links to their privacy policies in a Google spreadsheet. The following table provides links to privacy policies and statements based on the information available from the spreadsheet.

No. Institution Privacy Policy
1 Aberdeen Privacy statement
2 Aberystwyth Terms and Conditions
 3 Bath Privacy
 4 Bath Spa Website Terms and Conditions of Use
 5 Birmingham Privacy
 6 Bristol Privacy and cookie policy
 7 Cambridge Privacy policies for services
 8 Cardiff Privacy Policy
 9 Cranfield Cranfield University Privacy Policy
10 Edge Hill Privacy Statement
11 Edinburgh Website privacy policy
12 Glasgow Privacy statement
13 KCL Privacy statement
14 Leeds Privacy statement
15 Liverpool Personal information on the web
16 LSE Privacy and data protection
17 Manchester Privacy
18 Nottingham Privacy
19 Oxford Privacy Policy
20 Sheffield Privacy Policy
21 Sheffield Hallam Privacy Policy
22 Staffordshire Protecting Privacy on Data Transmission over the Internet
23 UCL Privacy
24 Warwick Website terms and Conditions
25 York Legal Statements

The links aim to make it easy for people wishing to see the approaches taken by others within the sector to see the approaches which are being taken.

Sharing Practices

In addition to the passive process of seeing what others are doing and making use of approaches which appear useful it can be more useful to collaboratively engage in the development of public privacy statements, such as those listed above, as well as discussions about important issues including approaches to auditing cookie use on web sites; ongoing auditing processes; policies for web sites which are not under the control of a central web team and the internal processes for developing policies and procedures, including reaching agreement on the institution’s willingness to take risks if it is not possibly to conform with the letter of the legislation.

Claire Gibbons, the Senior Web and Marketing Manager at the University of Bradford, has had responsibility for the development of the privacy policy at her host institution. As described in a recent blog post about a north east regional web meeting Claire:

shared our experience in terms of doing an audit of what cookies we have and presenting an updated privacy policy to our Information, Infrastructure, Access and Security group who actually signed it off. However, after subsequent conversations with colleagues and reading up a bit more I think we need to some more work here to go beyond the ‘corporate web’ or at least point out that our Privacy policy covers and anything on another domain isn’t covered by this policy.

Claire subsequently made her draft cookie policy available as a resource which can be used and commented on by others.  The draft cookie policy has been uploaded to JISCPress, with references to Bradford University removed to facilitate its use by others. Claire has made use of JISCPress’s commenting facilities to annotate the document, and is now inviting comments from her peers across the sector.

Feedback can be provided on the JISCPress site or on this blog.

Posted in Legal | 3 Comments »

Risk Register for Blogs

Posted by Brian Kelly on 17 Feb 2012


Bloggers’ Squabble Involves Lawyers

RisksAn article published in the Guardian the week before Christmas announced “Hacked climate emails: police seize computers at West Yorkshire home” and went on to describe how “Police officers investigating the theft of thousands of private emails between climate scientists from a University of East Anglia server in 2009 have seized computer equipment belonging to a web content editor based at the University of Leeds“. It seems that “detectives from Norfolk Constabulary entered the home of Roger Tattersall, who writes a climate sceptic blog under the pseudonym TallBloke, and took away two laptops and a broadband router“.

But rather than comment on a climate denier’s blog of more interest was Tattersall’s post regarding Greg Laden: Libellous article which describes how “Blogger Greg Laden has libelled me [Tattersall] in a scurrilous article on his blog“. In brief, Greg Laden appears to have accused Roger Tattersall of illegal activities. However being a climate denier is not illegal and Laden seems to have opened himself up to accusations of libel. He seems to have realised this and has updated his post so that it now begins:

I’ve decided to update this blog entry (20 Dec 2011) because it occurs to me that certain things could be misinterpreted, in no small part because of the common language that separates us across various national borders, and differences in the way debate and concepts of free speech operate in different lands.

I want to make it clear that I do not think that the blogger “TallBloke” a.k.a. Roger Tattersall has broken British law

I hope that will be the end of that matter, but it does highlight some additional legal risks related to publishing a blog, beyond the issue of the cookie legislation which was discussed in a recent post. This incident highlights possible reputational risks for an organisation which employs a blogger (even if, as in this case, the blog is published anonymously and is not related to work activities) and risks that impassioned debate may lead to libellous comments being posted.

Managing risksA Risk Register For Blogs

There may be dangers that risk averse institutions may use such incidents as an opportunity to restrict or even ban blogs provided by their staff. In order to minimise such risks it may be advantageous to take a lead in providing a risk register which documents possible risks and ways in which such risks may be minimised.

I am in the process of providing a risk register and the draft is given below. I welcome feedback on the risks listed below and the approaches described to minimising the risks. In addition I would welcome suggestions for additional risks which I may have failed to address = and suggestions for how such unforeseen risks can be minimised.

Risk Description Risk Minimisation
Legal Risks
Infringement of ‘cookie’ legislation Since the service uses cookies to measure Web site usage, this may be regarded as infringing the ICO’s ‘cookie’ legislation. The ICO’s guidance suggests that due to the technical difficulties in requiring users to opt-in, they will be unlikely to take further action, provided appropriate measures to address privacy concerns are being taken. In the case of this blog, a sidebar widget provides information on cookie usage.
Publication of copyrighted materials Blog posts may contain copyrighted materials owned by others. Images, such as screen shots, may be included without formal permission being granted. Where possible, links will be provided to the source. If copyright owners feel that use of their materials is inappropriate, the content will be removed normally within a period of a week.
Plagiarism Blog posts may plagiarise content published by others. Where possible links will be provided to content published by others and quoted content will be clearly identified.
Publication of inappropriate comments. Inappropriate blog comments may be published. The policy for this blog states that inappropriate comments will be deleted.
Sustainability Risks
Loss of content due to changes in policies. may change its policies on content which can be hosted. Alternatively since the service is based in the US the US Government may force content published on this blog to be removed. Since this blog has a technical focus, it is felt unlikely that this will happen.
Loss of blog service due to service being unsustainable. The service may go out of business or change its terms and conditions so that the blog cannot continue to be hosted on the service. It is felt unlikely that the service will go out of business in the short term. If the service does go out of business or changes in terms and conditions it is felt that due notice will be given which will allow content to be exported and the blog hosted elsewhere.
Reputational Risks
Damage to blog author’s reputation due to inappropriate posts being published. The author’s professional reputation will be undermined in inappropriate posts are published. The blog’s policy states that “the blog will provide an opportunity for me to ‘think out loud’: i.e. describe speculative ideas, thoughts which may occur to me“. If such thoughts are felt to be inappropriate or if incorrect or inappropriate content is published an apology will be given.
Damage to blog author’s host institution or funder due to inappropriate posts being published. The reputation of the author’s host institution or funder will be undermined in inappropriate posts are published. The author will seek to ensure that the conversational style of the blog does not undermine the position of the author’s host institution or funder. Occasional surveys will be undertaken to ensure that the content provided on the blog is felt to be relevant for the blog’s target audience.

Twitter conversation from Topsy: [View]

Posted in Blog, Legal, Web2.0 | 3 Comments »

Will Cookie Legislation Mean That Ads Will Become Prevalent?

Posted by Brian Kelly on 14 Feb 2012

Today I launched Firefox for the first time in a long while in order to make use of a Firefox plugin for analysing cookies.

Since the browser was open I used it, rather than Google Chrome which is now my preferred browser, to view one of my blog posts. I found myself looking at a Valentine’s Day advert which was embedded at the bottom of the blog post.

I don’t normally see such ads as they are not displayed to logged in users. The advertisements are used to cover the hosting costs for the blog, and I don’t feel that it is unreasonable for WordPress to recoup their costs by providing such ads. The WordPress store states that:

We sometimes display discreet advertisements on your blog—this keeps free features free!

The ad code tries very hard not to intrude on your design or show ads to logged-in readers, which means only a very small percentage of your page views will actually contain ads.

Since I am normally logged in to WordPress I don’t see ads provided on other blogs hosted on either. Which suggests that a cost-free solution to avoiding ads on blogs is to sign up for a account and ensure that you are always logged in – that would seem to mean that you will have an ad-free environment, but you don’t need to create a blog.

However I suspect that people won’t be motivated to subscribe to a free service simply to remove an ad. After all, ads are common on many web sites and we tend, I feel to ignore the less intrusive ads.

It should also be pointed out the ad providers are aware of the risks of serving too many ads to visitors or of serving inappropriate ads which is why there will be cookies associated with ads. Such cookies can bring benefits to the visitor, by keeping a record of the numbers of ads being served. And just as many users won’t sign up for a service to avoid seeing ads I suspect they will be reluctant to click on Accept cookies messages whenever they visit web sites.

Of course, we could simply configure our browsers to discard any cookies which are being send – which will probably mean that we are treated as a new visitor each time we open a page on a web site and are presented with a steady stream of ads.

I wonder if the cookie legislation will adversely affect the user experience, with users having to choose between clicking on Accept cookies on not every time they visit a web site or rejecting all cookies and having lots of ads to view on commercial web sites?

Am I along in regarding most use of cookies I encounter as benign and wishing that the EU had spent more time in drafting an EU directive which addressed misuse of cookies whilst leaving the user interface environment which is currently enjoyed by large numbers of users alone?

Posted in Finances, Legal | Tagged: | 1 Comment »

The Half Term Report on Cookie Compliance

Posted by Brian Kelly on 15 Dec 2011

The EU’s Privacy and Communications Directive

Back in May 2011 I asked  The context to this post was the EU’s Privacy and Communications Directive which officially came into force on 26 May 2011, the day the post was published.  However as I described  “the good news is that the ICO has recognised the complexities in implementing this legislation” with UK websites being given a year to comply with EU cookie laws.

My initial post was followed by a report on a survey of . This helped to identify how cookies are currently being used on the institutional home page for a selected group of institutions, explore a tool which can be used to report on the various types of cookies and to help raise the importance of institutional activity in this area, in particular in identifying cookie usage and ensuring that documentation on such usage is provided for visitors to the institutional web site.

Update On Institutional Activities

Over six months since those two posts were published, how are institutions responding to the year’s grace which the ICO has granted?

There has been some discussion on the website-info-mgt JISCMail list on how institutions should respond. Back in May Claire Gibbons, Senior Web and Marketing Manager at the University of Bradford initiated a discussion on the Changes to the rules on using cookies and similar technologies for storing information which seems to have been the liveliest discussion on the list all year. The following month Web managers became aware of the news that 90% of visitors declined ICO website’s opt-out cookie and were worried that implementation of the legislation would result in similar loss of traffic to UK University Web sites.

Moving forward six months on 13 December the ICO, announced a new set of Guidelines on the Rules on use of Cookies and Similar Technologies (available in PDF format) in a blog post entitled Half term report on cookies compliance. And it seems that they have taken a pragmatic approach which describes realistic and implementable solutions for Web site managers.

If you have a responsibility for managing a Web site I would advise you to read this 26 page report. However here are some of the key points are given below with my personal comments.

Text Commentary
The changes to the Directive in 2009 were prompted in part by concerns about online tracking of individuals and the use of spyware. These are not rules designed to restrict the use of particular technologies as such, they are intended to prevent information being stored on people’s computers, and used to recognise them via the device they are using, without their knowledge and agreement. [Page 2] Universities should recognise the benefits of these intention.
The initial effort is where the challenge lies – auditing of cookies, resolving problems with reliance on cookies built into existing systems and websites, making sure the information provided to users is clear and putting in place specific measures to obtain consent. [Pages 3-4] A good summary of what institutions need to do.
Most importantly user awareness will be likely to increase as people become used to being prompted to read about cookies and make choices. A variety of consumer initiatives – such as the use of icons to highlight specific uses of cookies will also help in this area. [Page 4] User education is key.
Setting cookies before users have had the opportunity to look at the information provided about cookies, and make a choice about those cookies, is likely to lead to compliance problems. The Information Commissioner does however recognise that currently many websites set cookies as soon as a user accesses the site. This makes obtaining consent before the cookie is set difficult. Wherever possible the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice. Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available. [Page 6] Guidelines acknowledge difficulties in implementing best practices and provides mechanism for documenting decisions.
You should also consider whether users who might make a one-off visit to your site would have a persistent cookie set on their device. If this is the case, you could mitigate any risk that they would object to this by shortening the lifespan of these cookies or, where possible given the purpose for using them, making them session cookies. [Page 6] Guidelines accept that a risk assessment strategy may be appropriate.
This shared understanding is more likely to be achieved quickly if websites make a real effort to ensure information about cookies is made clearly available to their users, for example, displaying a prominent link to ‘More information about how our website works and cookies’ at the top of the page rather than through a privacy policy in the small print. [Page 6-7] Importance of consistent UI to privacy information
The Information Commissioner is aware that there has been discussion in Europe about the scope of this exception. The argument has been made in some areas that cookies that are used for resource planning, capacity planning and the operation of the website, for example, could come within the scope of the exemption. The difficulty with this argument is that it could equally be made for advertising and marketing cookies (whose activities help to fund websites). The intention of the legislation was clearly that this exemption is a narrow one and the Commissioner intends to continue to take the approach he has outlined clearly in published guidance since the 2003 Regulations were introduced. [Page 9] Analytics code which use cookies will be subject to the guidance.
Government is working with the major browser manufacturers to establish which browser level solutions will be available and when. In future many websites may well be able to rely on the user’s browser settings as part, or all, of the mechanism for satisfying themselves of consent to set cookies. Standards-based privacy solutions provided by browsers will be important in the future.
First steps should be to: 1. Check what type of cookies and similar technologies you use and how you use them. 2. Assess how intrusive your use of cookies is. 3. Where you need consent – decide what solution to obtain consent will be best in your circumstances. [Page 12] Clear instruction on what institutions should be doing now.
The Information Commissioner will take a practical and proportionate approach to enforcing the rules on cookies. He has to enforce the law, but he does have some discretion in how he exercises his formal enforcement powers. [Page 24]  The Commissioner is more likely to take discretion if organisations are shown to be seeking to implement best practices.
We will be keeping the situation under review and will consider issuing more detailed advice if appropriate in future. However, we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do. What is clear is that the more directly the setting of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent. [Page 26] Further guidance may be produced in light of experience.
In our view the rules do not apply in the same way to intranets. [Page 26] This seems to suggest that the legislation does not cover content which is hosted on Intranets, VLEs, etc.

My optimistic interpretation of the guidelines seems to be shared by Matt Jukes who, on the Digital by Default blog, yesterday suggested that we might be seeing A crack in the cookie craziness? Matt felt that “The final entry in the FAQ offers a glimmer of hope for those of us stressing about losing access to our usage data“, although his views were tempered slightly by some concerns that “the wording seems intentionally vague and non-committal” which may “scare a lot of public sector organisations into total compliance“.  Overall, however Matt was reassured that the guidelines ” does at least seem to be saying that noone is going to prosecute you for using Google Analytics – especially if you make some concerted effort to inform and educate your users about the existence of those Cookies“.

Further commentary on the guidelines have been provided by Ranjit Sidhu on the Sidspace blog. Ranjit comments that:

This is the key statement “Which method (of consent) will be appropriate to get for cookies will depend in the first instance on what cookies you use” – In other words- ‘we are not making a blanket ban- check what you are doing, if you are not being evil and creating a profile on the user without them knowing with a persistent cookie, then be sensible, do all that we have told you to do and you will be ok. And to confirm….

On the last page (p 27) specifically on “analytical cookies” they say ” In practice we would expect you to provide clear information to users about analytical cookies and take what steps you can to seek their agreement…… Provided clear information is given about their activities we are highly unlikely to prioritise first party cookies used only for analytical purposes in any consideration of regulatory action.”

Ranjit’s post concludes:

As a last point as I know there has been a lot of talk on this, and plenty of scare stories peddled by legal practitioners in particular, make sure you and your bosses are aware as to the enforcement of this (p24 of the report). The ICO will first issue an information notice if they think the organisation is doing something wrong, then ask it to take an “undertaking” notice which asks the organisation to change some practice to comply or an “enforcement” notice to make it comply, only finally if your organisation totally doesn’t listen at all will be fined! In other words, it is about the ICO helping organisations comply and improve rather then jumping out of the blue on organisations naming them as illegal and shutting them down. There are some industries this is going to effect badly…newspapers etc.. but honestly, what you Uni’s do in tracking is very, very low in its privacy implications.

I should probably add that neither Ranjit nor I are lawyers so our posts should not be construed as providing legal advice! However we are both in agreement that the important step for institutions is to follow the guidelines which state:

First steps should be to:

    1. Check what type of cookies and similar technologies you use and how you use them.
    2. Assess how intrusive your use of cookies is.
    3. Where you need consent – decide what solution to obtain consent will be best in your circumstances.

followed by “provid[ing] clear information to users about analytical cookies and take what steps you can to seek their agreement“.

Many institutions will use technologies such as Google Analytics for which documentation will need to be provided. In addition there will be other commonly-used systems, such as content management systems, for which shared approaches in documenting information about the purposes of the information being gathered and the approaches to seeking user agreement would be beneficial.

Claire Gibbons, Senior Web and Marketing Manager at University of Bradford is currently developing guidelines for the University of Bradford which she has described in a post on Cookies and legislation – some thoughts and a sector invite. As suggested by the title, Claire would like to invite others to contribute to:

 a Google spreadsheet … to store our info so we can share and learn from each other [in areas including:]

    • Institution name
    • Audit done
    • Types of cookies used
    • Technologies used
    • Where consent is needed
    • Any other comments
    • Link to published or draft policy

This initiative, which is being driven by practitioners, is to be welcomed. Textual information, such as details of policies, processes, etc. can be added to the Google Document on Cookie Policies. In addition a Google Spreadsheet on UK HEI Privacy Policies is also available which can be used to provide links to privacy policies and provide brief comments. Finally Delicious users may wish to add a link to their privacy polices using the privacy-uk-heis tag so that their contribution can be included in an aggregation of tagged resources (although note that following recent changes to Delicious service the usefulness of this service is currently uncertain).

Why You Should Actively Engage

As Ranjit points out “the ICO helping organisations comply and improve rather then jumping out of the blue on organisations naming them as illegal and shutting them down“. He points out that some sectors seem to be doing badly. If the higher education sector can be seen to be implementing appropriate and achievable best practices, respecting users’ needs whilst understanding the difficulties in blunt implementation of the legislation this will be beneficial for the sector as a whole. I do hope you will spend a small amount of time in giving comments on this post and on Claire’s, in providing links to your policy statements, so that others can learn from their peers and in documenting other aspects of this work which may be useful to others.

It should also be remembered that ways in which we should respond to cookie legislation will go beyond those working in institutional Web management teams. Clearly it will also be important for institutions which have a devolved approach to Web management. But responsibilities must also be shared by individuals who provide Web content, whether hosted within their institution or by third party services.

I have just added a widget on the right hand sidebar of this blog which describes how, who host the blog, make use of Google Analytics. I have gone beyond the issued of cookies by reminding people who leave comments on this blog that they are required to provide an email address. I have now published a policy which states that such email addresses will not be disclosed.

Is this an approach which we can recommend to others?

Posted in Legal | 12 Comments »

How Should UK Universities Respond to EU Cookie Legislation?

Posted by Brian Kelly on 26 May 2011

Confusions Over Cookie Legislation

The EU’s Privacy and Communications Directive comes into force at midnight tonight (26 May 2011).  This requires user’s consent before using cookies – the text files which are used for various purposes including storing browsing information.

The UK Government’s Information Commissioner’s Office (ICO) have provided guidelines on how Web site providers can implement such legislation.  However, as pointed out by the JISC Legal service, differences in interpretation of the legislation by Ministers, the  Internet Advertising Bureau and the ICO have led to uncertainties as to what needs to be done.  The JISC Legal post concludes by highlighting such uncertainties:

This does leave website operators with a tricky decision:

  • make changes to their websites now in order to implement a belt-and-braces, but clumsy, can-we-use-cookies explicit permission each time a user visits;
  • wait until the government’s guidance on interpretation emerges, and take a view then as to whether to implement an explicit each-visit permission question;  or
  • hope that browser suppliers make the necessary changes soon enough such that website operators need do nothing.

Perhaps we should be looking to the ICO to see how it has implemented the legal requirements on its Web site. As can be seen from the following image the ICO’s Web site has introduced a new text area at the top of every page which requires users to click on the accept box.

I think it is clear that this is a very flawed solution. Not only is it very ugly, but it also appears to force users to accept cookies (not the message “You must tick the ‘I accept cookies from this site’ box to accept” was displayed after clicking on the Continue box without selecting the option to confirm acceptance of cookies.

The Guardian has pointed out significant flaws in the legislation on its Technology blog:

One problem sites are wrestling with if the ICO insists on enforcement is a catch-22 where if people choose not to accept cookies, then sites will have to keep asking them if they want to accept cookies – because they will not be able to set a cookie indicating their preference.

What, then, is to be done?

A Year’s Grace

The good news is that the ICO has recognised the complexities in implementing this legislation.  As described on the BBC Web site:

UK websites are being given one year to comply with EU cookie laws, the Information Commissioner’s Office has said.

The UK government also sought to reassure the industry that there would be “no overnight changes”.

This provides the UK higher education sector with an opportunity to develop and implement appropriate and implementable solutions. We are seeing the Government providing indications that is looking to see “business-friendly solutions” being developed. Ed Vaizey, the Communications Minister, has suggested that the EU directive is  “a good example of a well-meaning regulation that will be very difficult to make work in practice“.  Perhaps this is an example of Government policies being in alignment with those working in higher education who wish to continue to make use of Web technologies to deliver a wide range of services.

How should the sector proceed?  I feel it would be a mistake for Universities to work on their own in attempting to implement individual solutions based on institutional interpretations of the EU directive  and trying to second-guess what may be deemed to be acceptable practices.

I am in agreement with those who suggest that the opt-in/opt-out requirement should be provided by the Web browser rather than on every individual Web site. It should be noted that Microsoft’s IE 9 and the latest version of Mozilla’s Firefox offer settings to protect users from services which collect browser data. In addition Google is working at integrating so-called ‘Do Not Track‘ technologies into their Chrome browser.

In addition to such developments to Web browsers it may be appropriate to explore the potential of machine-readable privacy policies such as W3C’s P3P standard which I discussed in a previous post.  Although this standard has seen little usage since it was first published in 2002 the EU legislation might provide the motivating force which can encourage greater take-up.

At UKOLN’s IWMW 2011 event, which will be held at the University of Reading on 26-27 July, Dave Raggett will be giving a plenary talk on Online Privacy in which he will describe his EU-funded Privacy Dashboard work.  The event might also provide an opportunity for those working in Web-management who have a good understanding of the implications of privacy policies on the services they provide to agree on a sector-wide approach which can be deployed in a year’s time.

There is a slot which is currently vacant at the event of the event.  There is therefore an opportunity for a small group of University Web managers using the next two months to develop a proposal on how the sector might implement the cookie legislation in a year’s time.

Some thoughts on what could be addressed:

  • Why cookies are needed and what concerns they raise. A briefing paper explaining these issues to policy-makers and end users.  The briefing should have a Creative Commons licence which can help to demonstrate the efficiency savings being made across the sector by avoiding duplication of such work.
  • Documenting ways in which widely used applications and technologies currently use cookies (e.g. Google Analytics, CMS systems, portals and other personalisation tools, etc.). Documentation of the implications of users opting out of use of cookies in use of these applications
  • What privacy policies should cover and possibly provision  of privacy templates.
  • Policies on preferred browsers and education on use of privacy preferences.
  • Potential of use of machine-readable policies such as P3P.

I welcome your comments and feedback.

Posted in Legal, openness | 14 Comments »

Privacy Settings For UK Russell Group University Home Pages

Posted by Brian Kelly on 24 May 2011

On the website-info-mgt JISCMail List Claire Gibbons, Senior Web and Marketing Manager at the University of Bradford today askedHas anyone done anything in particular in response to the changes to the rules on using cookies and similar technologies for storing information from the ICO?” and went on to add that “We were going to update and add to our privacy policy in terms of what cookies we use and why“.

This email message was quite timely as privacy issues will be featured in a plenary talk at UKOLN’s forthcoming IWMW  2011 workshop which will be held at the University of Reading on 26-27 July with Dave Raggett giving the following talk:

Online Privacy:
This plenary will begin with a report on work on privacy and identity in the EU FP7 PrimeLife project which looks at bringing sustainable privacy and identity management to future networks and services. There will be a demonstration of a Firefox extension that enables you to view website practices and to set personal preferences on a per site basis. This will be followed by an account of what happened to P3P, the current debate around do not track, and some thoughts about where we are headed.

The Firefox extension mentioned in the abstract is known as the ‘Privacy Dashboard’ and is described as “a Firefox add-on designed to help you understand what personal information is being collected by websites, and to provide you with a means to control this on a per website basis“. The output for a typical home page is illustrated.

The dashboard was developed by Dave Raggett with funding from the European Union’s 7th Framework Programme for the PrimeLife project, a pan-European research project focusing on bringing sustainable privacy and identity management to future networks and services.

In order to observe patterns of UK Universities practices in online privacy I have used the W3C Privacy Dashboard to analyse the home pages of the twenty UK University Russell Group Web sites. The results are given in the following table.

Ref. No. Institution Cookies External third party Invisible images
Session cookies Lasting cookies External lasting cookies Sites Cookies Lasting cookies
1 University of Birmingham 3 3 0 4 0 2 0
2 University of Bristol 0 0 0 4 0 6 8
3 University of Cambridge 1 3 0 3 1 2 0
4 Cardiff University 1 4 0 0 0 0 0
5 University of Edinburgh 1 4 0 0 0 0 0
6 University of Glasgow 2 3 0 2 1 6 2
7 Imperial College 3 3 0 3 0 2 0
8 King’s College London 3 3 0 3 1 6 0
9 University of Leeds 2 3 0 1 0 0 0
10 University of Liverpool 2 3 0 2 2 3 0
11 LSE 3 0 0 1 0 0 0
12 University of Manchester 3 0 0 1 0 0 0
13 Newcastle University 2 0 0 0 0 0 3
14 University of Nottingham 2 3 0 2 0 5 0
15 University of Oxford 1 5 0 1 0 0 1
16 Queen’s University Belfast 1 3 0 1 0 0 0
17 University of Sheffield 2 3 0 0 1 0 0
18 University of Southampton 1 3 0 3 0 0 0
19 University College London 1 2 7 0 0 0 0
20 University of Warwick 9 6 0 39 2 95 6
TOTAL 43 54 7 70   127 20 

It should be noted that the findings appear to be volatile, with significant differences being found when the findings were checked a few days after the initial survey.

How do these findings compare with other Web sites, including those on other sectors?  It is possible to query the Privacy Dashboard’s  data on Web sites for which data is available, which include Fortune 100 Web site. In addition I have used the tool on the following Web sites:

Ref. No. Institution Cookies External third party Invisible images Additional Comments
Session cookies Lasting cookies External lasting cookies Sites Cookies Lasting cookies
1 W3C  0  0 0 2  0 4 1 P3P Policy
2 Facebook Home page  4 6 0  1 0  0  1
3 Google  0  7  0 0  0  1 0
4 No. 10 Downing Street 1  4  0  8  0 52 1 (Nos. updated after publication)
5 BP 1 1 0 0 0 0 2 P3P Policy
6 Harvard 3 4 1 0 0 0
7 2 3 0 1 0 0 1

I suspect that many Web managers will be following Claire Gibbon’s lead in seeking to understand the implications of the changes to the rules on using cookies and similar technologies for storing information and reading the ICO’s paper on Changes to the rules on using cookies and similar technologies for storing information (PDF format).  I hope this survey provides a context to the discussions and that policy makers find the Privacy Dashboard tool useful.  But in addition to ensuring that policy statements regarding use of cookies are adequately documented, might not this also provide an opportunity to implement a machine-readable version of such policy. Is it time for P3P, the Platform for Privacy Preferences Project standard, to make a come-back?

Posted in Evidence, Legal, openness, standards, W3C | Tagged: | 15 Comments »