2012 Predictions 7: Cookies, Cons and More

December 7, 2011

{b}From Mark Turner, Partner, Herbert Smith LLP{/b}


The cookie monster will come roaring out of the jar in 2012. Although the monster grumbled in 2011 when new laws stemming from the EU Citizens Rights Directive came into force in the UK, the subsequent decision of the Information Commissioner to grant a 12-month reprieve on enforcement satisfied the monster’s appetite temporarily.
However, this grace period expires in 2012 and organisations will need to decide what action, if any, they are going to take in order to try and achieve compliance without impacting the all-important customer experience. In monitoring the situation, the Information Commissioner may decide to make a sacrifice to appease the monster, or continue to wait for some form of technological solution to come out of the various working groups looking at the problem.
If enforcement action commences, we can expect to see a plethora of consent mechanisms appearing on web sites all over the UK and Europe. They will not follow the precedent set by the Information Commissioners Office (www.ico.gov.uk) or by Delia Online (www.deliaonline.com).

{i}Article 29 Working Party{/i}

As legal practitioners, privacy advocates and information officers across Europe continue to hold their breath and wait for the all-singing, all-dancing Data Protection Directive 2012 proposal to emerge from the European Commission, some eyes may start to focus on the continued role of the Article 29 Working Party.
Opining in 2011 on everything from RFID applications to geo-location services and the level of data protection in New Zealand, the Working Party has a unique role in shaping data protection policy and law in the European Member States. A role that is usually exercised in deliberations behind closed doors, without public or industry consultation and without any way of challenging its interpretations of the law, short of litigation in the European Court. Is 2012 the year when the Working Party will be required to become accountable to its stakeholders and the public?

{b}From Alastair Morrison, Strathclyde University{/b}

The ‘reprieved’ cheque will take on a new lease of life and last for another hundred years as our faith in the security of online transactions evaporates completely!
Only joking but, as we all know, fundamental to the proper working of much of our lives is trust. For example, the ongoing financial turmoil is testament to how commerce suffers when confidence is lacking. More particularly, e-commerce is largely built on the trust we have in our secure – SSL – connections. If we loose faith in the ‘closed padlock’ e-commerce and business in general will suffer.
The bad news is that SSL, Certificate Authorities (CAs), in fact the whole security infrastructure on which our e-commerce world is based and in which we have somewhat blind faith has been and continues to be compromised. Incidents over recent years demonstrate that we cannot always be sure that the site with which we are transacting is what it claims to be, or that what we believe to be an encrypted link cannot in fact be monitored.
To give just one example from this year, hackers broke into the servers of a reseller of Comodo (one of the world’s most widely used certificate authorities) and forged certificates for Gmail, Skype, Hotmail, Yahoo and Mozilla. It took two, seven and eight days for the counterfeits to be blacklisted by Google Chrome, Mozilla Firefox and MS IE respectively. The vulnerability of users of those browsers in the interim will be apparent to us all.
Expect to see more such incidents in 2012 (especially as online crime is becoming ever more sophisticated and well resourced) and the issue to become much more widely and prominently discussed. Expect also to see public concern increase in the coming year when the reporting moves from the tech press to the mainstream media. This is as it should be, as we should all be concerned when we consider the reliance that banks, credit card companies, large and small businesses, not to mention us all as individuals, place on the system. Furthermore, expect to see strenuous efforts being made to overhaul the system of trust by Google, Amazon and all the other players who have so much to lose if online transacting declines.
The good news is that solutions are already being proposed and discussed. But don’t hold your breath. Finding agreement among the affected browser makers, web site operators, CAs and end users is a major challenge; none of these parties wants any disruption to ‘business as usual’. However, a few cases of major financial loss should focus the minds of all these parties and cause them to redouble their efforts, for they certainly cannot afford to take the risk that people start to turn away from e-business; however unlikely they, you, or I think it is that this could ever happen!