The Next Round of Cookie Madness | Antivirus

On May 28, 2020, the Federal Court of Justice passed a ruling on the use of cookies after the European Court of Justice had already ruled in this regard last year. Generally speaking, the European Court of Justice has decided on an opt-in obligation for advertising measures that contravened current German law. Therefore, the BGH has now followed suit and endorsed last year's ruling.

Unfortunate practice: It's not (just) about cookies!

Unfortunately, it is common to refer to these two judgments only in terms of cookies. As Dr. Schwenke writes in his current blog post on the topic, which is well worth reading, but it is by no means just about cookies, and definitely not about all available cookies.

The context of the judgments is data protection. Increased protection of the data of website visitors is required. So far so good. The correct umbrella term for the technologies used, the restriction of which we are talking about here, is tracking for advertising purposes. Tracking means that information about the visitor to the website and his technical equipment is collected, across all pages. This can be done with cookies but does not have to be. And by no means do all cookies serve this purpose.

It would therefore make more sense to talk about tracking technology instead of cookies. After all, many reporters manage to at least use the term “tracking cookies”, although that too is too one-sided. Long before the introduction of the GDPR, so-called fingerprinting techniques were known, which are even better than cookies for tracking users.

What is tracking

Tracking is about finding out as much as possible about a specific Internet user. As a rule, this information is then used to select and display the advertising on the Internet, through which many platforms and websites ultimately have to finance themselves, as suitable as possible for the respective person.

In practice, this means that the Internet user is recognized as a dog owner, for example by visiting a shop with pet accessories and - depending on the settings there - buying a certain product. This information will be added to his profile. If he is also interested in car advertisements, vehicle spare parts, vacations in the Caribbean, certain concert tickets, etc., all of this information flows together in this profile during comprehensive tracking. Movement data (cell phone GPS) and locations visited such as shops etc. can also contribute to this, as well as information that is partly voluntary such as work and occupation and so on. All of this data, although collected in different places and in different ways, are incorporated into this profile and over time result in a fairly precise description of the Internet user. It is not a matter of personal identification, for example, the creation of a file on Lieschen Müller, but of a person X who is considered a consumer and has certain characteristics. The GDPR rightly requires that the creation of such profiles requires consent, without which no profile creation can be permitted.

Such tracking is often, but by no means exclusively, carried out via cookies. Cookies are small text files that are stored by the browser used and often contain information that is essential for Internet traffic. For example, if you log in to a website, it must be able to recognize you for the duration of your connection, and this is done using one or more cookies. The shopping cart function of online shops is also based on storing your selection during your visit and, if necessary, for your return at a later point in time. This is done using cookies.

What you need to keep in mind here is the fact that computers are incredibly stupid. If you and I met on the street and started a conversation, we wouldn't have to re-introduce ourselves every few seconds and make sure the other was still there. But computers have to. Much of the communication between computers (your browser on your computer and the website on the Internet on one or more servers) consists of mutual declarations that you are still there. Imagine, in a conversation with a person, you have to comment on every utterance with “are you still there?”, “That was a question”, “now comes an answer”, “I'm now shifting my weight to the other leg "(Analogous to" You switch from the cable network to the WLAN at home, because you disconnect your notebook from the docking station in the middle of the transaction ”), and you get an idea of ​​the communication between computers. Cookies are invaluable in this regard.

All browsers offer the option of rejecting cookies or deleting them between sessions, which always results in a loss of comfort when using the Internet. Some things become impossible to even with categorical cookie rejection. It is nonsense and confusing to make all cookies responsible for the tracking system. However, modern browsers are increasingly preventing the use of tracking on their own, so that the actual problem is solved where it takes place, which means that the sprawl of cookie consents would not actually be necessary to this extent. Incidentally, the cookie consent must save your answer on your computer in a cookie, whether you accept or reject it.

What website operators need to consider now

Unfortunately, the privacy advocates and the courts shift the burden of restricting tracking to the operators of websites and even fan pages on Facebook. For example, if you run a page for a company on Facebook, the data protection authorities may contact you regarding the handling of visitor data for your page, and not Facebook. As the operator of a website like mine, you are also responsible for tracking that may take place on it. This fails to recognize that by far not every (read: practically none) website operator has full knowledge of the technology that his website uses. For example, I've seen WordPress themes, even commercial ones, that automatically set a Facebook pixel that Facebook tracks. You can compare that to a chip sewn into new clothes,

Unfortunately, it is the case that the website operators are held responsible, so they have to react. To do this, you should first find out whether there is any tracking on your website.

You also have to keep in mind that some typical gateways for tracking, especially Google Analytics, lose their meaning if used by the rules. You must ask the visitor for permission when entering the website and save the response and keep it editable, and the clarification must take place immediately and in detail, each individual tracking measure must be explained and individually switchable. A button for the categorical consent may exist, but there may not be a corresponding pre-selection and a categorical rejection must be just as clearly possible and visible. It should be obvious that Google Analytics can no longer collect meaningful data on such a basis, so one should look for another alternative.

With the Matomo open-source solution, which you run yourself on your server, no data is passed to third parties, for example. You can use it for visits, movements on the website, downloads of certain offers, etc. as well as certain technical information (browser, operating systems, functionalities of the visitors' computers) to improve your offer, but a profile will not be created unless you have done so Consciously set up the functionality to be installed. Dr. In the article linked at the beginning, Schwenke comes to the conclusion that there is only a low risk here with pure web analysis. A mention in the data protection declaration and an opt-out there is still necessary (see e.g. my data protection declaration ).

Other statistics such as the WordPress plugin Statify only collect superficial data: where does a visitor come from, which pages were opened. It is not even possible to follow a visitor's navigation through the site, which is an important function in shops, for example, to determine where and why the site was abandoned. But if you just want to know how many users came from Google and which pages are the most read, then something like that is perfectly fine. Nothing is tracked here, not even IP addresses (which, according to German law, also represent personal data).

What website visitors can expect now

All of this is about protecting the data of website visitors. How does the current ruling affect you?

As a visitor to websites, you can assume that in the future you will encounter, even more, even larger, and even more annoying cookie consents on the Internet than you already have, even where it is not necessary due to a lack of tracking. Where it is necessary, it has so far often not been implemented or implemented insufficiently. I rarely see cookie consent that has been correctly implemented. The consent you see when you click the linked post by Dr. Open pan should conform to the rules, although even then the categorical rejection is less evident than the assumption.

If consent has been correctly implemented, it should contain a precise description of each individual tracking tool and make each individual switchable. All must be turned off by default. As a rule, blanket approval will be possible, and blanket rejection should be possible. It must then be possible to continue to access and change these settings. And if you only close the consent or simply leave it open and ignore it because you can read by it what is on the page, no tracking is allowed.

Find the best antivirus to prevent cyberattacks in 2021

I am curious to what extent the examples of such consent will increase in the future. In the meantime, however, the prevention of tracking by my Firefox browser, the Ghostery plugin, and my AdBlocker is enough for me. Because in the end many will reflexively agree, because the button is so conveniently located, which I cannot always absolve, and the browser will still restrict the tracking.