Cookies and Trackers: Inventorying and Analyzing Your Cookie Practices

The European Union continues to change the face of privacy rights and thereby the obligations of organizations that process personal information and otherwise interact with people. In 2009, the European Union updated its directive related to privacy and electronic communications, mandating that website operators not only to provide notice to website users when cookies are used, but also to seek consent unless the cookies are “strictly necessary” to provide the service. For example, cookies for shopping carts, authentication, and fraud protection are generally deemed necessary, whereas those for advertising and analytics are not.

The so-called “Cookie Directive” requires the member nations of the European Union to enact and enforce laws to meet this requirement, and we began seeing rules and guidance being established at the national level in 2011. Even into 2011, however, not all countries had enacted rules and those that did lacked harmony in the associated guidance. In addition, the data protection authorities, granting grace periods for implementation, had not yet begun to enforce the rules.

The Cookie Directive certainly significantly changes the online privacy rules, but organizations had already been losing control and accountability over their use of cookies and other tracking techniques on their websites. Increasingly complex websites, lack of central management of online analytics, and new breeds of tools (e.g., active content such as scripts, ETags, local storage objects) often result in a rather chaotic environment across an organization’s web properties. With the enforcement of the Cookie Directive looming, and other general online privacy rules already in effect, it is a good time to understand the use of cookies and trackers and to bring order to the chaos.

Tools

There is no single tool that fully automates the task of inventorying and analyzing cookies and other tracking techniques used on a website. Rather, a combination of tools is needed to identify, catalog, and inspect those objects. Some organizations may employ website compliance monitoring services, but most do not have suitable capabilities in place.

Evidon and TRUSTe have recently launched cookie inventory services, and tools such as Hi-Software’s Compliance Sheriff can aid in the collection of information about cookies and third party objects being used.

Athena uses a combination of add-ons to standard browsers to support the discovery and cataloging of these objects. We rely primarily on the Mozilla Firefox browser with cookie management and export add-ons to help us view cookies and to extract them from the browser into reports. We also use an HTTP header viewer add-on so that we can review the exchange of HTTP headers between the browser and website, including where cookies are set and read and where ETags are used. We also use the iPerceptions Web Analytics Solution Profiler to catalog the use of third party scripts and other active content encountered. Ghostery is used as a further check by which we can validate the completeness of our identification of the analytics and tracking scripts and other active content. Finally, we set the permissions on Adobe Flash Player to inform us of attempts to write Flash-oriented local stored objects to our devices.

Approach

Although it is not uncommon for websites to have thousands, if not millions of pages, we prefer to manually interact with the websites for much of the discovery and analysis of cookies and trackers. Our goal is to interact with the website as a human user would, and to understand how the different interactions may result in various encounters with the cookies and trackers. For example, we would browse, subscribe, register, login, logout, manage accounts, shop, and otherwise use the website to encounter cookies and trackers as a human user would. In general it is sufficient to identify the primary set of cookies and trackers encountered, but in some cases we will create a checkpoint after key actions, such as identify cookies after login or after logout.

We simultaneously capture HTTP headers so that we can further correlate the headers with the set cookie and read cookie events. This enables us to have visibility into the use of other HTTP techniques such as ETags.

We also browse with the Web Analytics Solution Profiler enabled to identify and catalog third party scripts and other active content, some of which may be associated with cookies already detected, but others may not be directly associated with any cookies.

Cookie Analysis

In general, we catalog cookies according to the following parameters.

We further analyze the cookies regarding the following characteristics:

Using the Web Analytics Solution Profiler add-on to Firefox, we also identify the following characteristics of the third party scripts and other active content that it detects:

Normally, a list of the third parties whose scripts and trackers used, including some representative entries, is sufficient for the purposes of cataloging and analyzing the use of these services on a website. Although some of the services encountered may operate without cookies, their presence will affect the overall privacy approach a website operator takes.

Next Steps

The inventory and analysis of cookies is just the first step. Next steps to be considered include the following:

-  Cleaning up the cookies in use. The inventory and analysis can be used to identify cookies no longer needed and cookies whose contents or use warrant tailoring.

-  Establishing a suitable consent mechanism. For websites that must comply with European national data protection law, the means to solicit and receive consent of the user will need to be established. Although none of the methods shown in the guidance are directly appealing to website operators, an approach or set of approaches will be needed to comply.

-  Revising the privacy statement. Although the revision to the cookies is the first step, a review of the privacy statement for the website is also warranted. The privacy statement should be revised as needed to precisely characterize the use of first and third party cookies, and to describe the consent mechanisms available. This revision may also affect information previously collected through cookies; if the changes are significant, notification to users may be warranted.

Although the Cookie Directive is a good reason to inventory and analyze the cookies used on your website, organizations without European operations will also benefit from increasing their understanding of cookies and improving their practices related to cookie use across their websites.

References

In addition to the references indicated in the text, the following provide guidance related to cookies and the Cookie Directive.

- European National and Information Security Agency (ENISA), “Bittersweet cookies. Some security and privacy considerations”, http://www.enisa.europa.eu/act/it/library/pp/cookies/at_download/fullReport, February 2011.

- European Parliament and Council, “Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws” http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF, November 2009.

- European Commission, Article 29 Working Party, “Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising”, http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp188_en.pdf, December 2011.

- Ireland Office of the Data Protection Commissioner, “Guidance Note on Data Protection in the Electronic Communications Sector”, http://www.dataprotection.ie/viewdoc.asp?DocID=1152#6, 1 July 2011.

- République Française Commission Nationale de l’Informatique et des Libertés (CNIL), “Ce que le "Paquet Télécom" change pour les cookies”, http://www.cnil.fr/en-savoir-plus/fiches-pratiques/fiche/article/ce-que-le-paquet-telecom-change-pour-les-cookies/, October 2011. See http://www.cnil.fr/english/news-and-events/news/article/what-the-telecoms-package-changes-for-cookies/ for the English language translation.

- Union Française du Marketing direct et Digital, “Guide de bonnes pratiques concernant l’usage des cookies publicitaires”, http://www.ufmd.org/downloads/Documents-de-reference_t13740.html (for links to French and English language versions), 10 April 2012.

- United Kingdom International Chamber of Commerce (ICC), “ICC UK Cookie Guide”, http://www.international-chamber.co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cookie_guide.pdf, 2 April 2012.

- United Kingdom Information Commissioner’s Office (ICO), “Guidance on the rules on use of cookies and similar technologies”, http://www.ico.gov.uk/news/latest_news/2011/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx, December 2011.

- United Kingdom Information Commissioner’s Office (ICO), “Changes to the rules on using cookies and similar technologies for storing information”, http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_cookies_regulations.ashx, 9 May 2011.

Moving Privacy from In Place to Enhanced

By Hugh Kominars, CISA, CISM, QSA, ControlCase, and Brian Tretick, CIPP/US/IT/E, Athena

Use of governance, risk management and compliance (GRC) tools is necessary for evolution.

An increasingly difficult challenge to manage

Privacy is driven by an increasingly complex and pervasive set of rules and risks, affecting nearly every aspect of the organization. Complexity comes from a vast set of national and local laws and regulations, corporate policies, operational procedures, contractual terms, and service agreements over the use of personal information. Complexity is also derived from the diverse business functions that process personal information, and the information technology used to collect, create, process, store, and transfer the information.

In fact, privacy is an issue in all situations where personal information is handled, from data centers and production systems to third parties and end user devices well outside the control and custody of the organization. This pervasiveness also means that privacy is not the domain of an isolated compliance group, but rather an enterprise-wide concern, spanning research and development, products and services, sales and marketing, information technology operations, human resources, and the third parties with whom the enterprise exchanges personal information. The net result is that privacy has become one of the most demanding business issues faced by organizations today.

With increasing expectations of excellence

It is rare that management would be content with any part of the organization to be run inefficiently or ineffectively. Yet many organizations have yet to evolve Privacy GRC to efficiently and effectively meet the demands of the new decade and the increasing complexity and pervasiveness of privacy. Throughout the financial crisis, organizations focused not only on cutting costs across the enterprise, but also on improving performance of business operations. To be able to address privacy’s complexity and pervasiveness, organizations must also improve the performance of their Privacy GRC functions: privacy must be run like a business.

This means that Privacy GRC needs to attain the levels of operational effectiveness embodied by the rest of the business. This means among other things that processes should be formalized, repeatable, and monitored. There are very few Privacy GRC functions that are done only once: if they were, then they might not even have been worth doing at all. Therefore, it is imperative to build Privacy GRC functions that are formalized, repeatable, and monitored. These are expectations of management, shareholders, regulators, and even customers. If you are not at least incrementally improving your Privacy GRC processes, you will be unlikely able to keep up with the increasingly complex and pervasive rules and risks that affect your use of personal information across the extended enterprise.

That drive the need to evolve from In Place to Enhanced

Most organizations who have addressed privacy to date have at least put Privacy GRC In Place; that is, most have done something to manage privacy. Investment in Privacy GRC, therefore, should be focused on evolving from In Place to Enhanced. This is even more critical for organizations with multiple business units, in multiple countries or jurisdictions, or with multiple regulators. Enhanced Privacy GRC means that the processes in response to risk and compliance obligations are done well and operate with efficiency. To do this, organizations should:

Formalize Privacy GRC functions. The Sarbanes-Oxley era ushered in the saying, “If it isn’t documented, it isn’t done.” The saying implied that there was a lack of assurance that something was being done if there was no record of it, and if it was actually done there was little evidence that it was done well and could be done again with a similar outcome. Business functions worth doing are worth documenting. This goes for Privacy GRC functions as well. Therefore, the first objective in moving from In Place to Enhanced is refining and documenting the supporting processes.

Monitor Privacy GRC functions. There are several truths relevant to monitoring. The first is, “Anything that can be done can be measured.” In fact, the biggest challenge is taking measurements that matter. That saying is further supported with the following, “That which gets measured gets done.” If you do something but do not measure it, you cannot demonstrate that your Privacy GRC initiatives are in place, complete, compliant or effective. The next objective, therefore, is adding monitoring to Privacy GRC functions, not just at a central point but also throughout the organization where the functions are performed. This monitoring could be performed through administrative procedures, but as we will see with the next objective technology-enablement is fundamental.

Automate Privacy GRC functions. Dozens of national laws and hundreds of implementing regulations and good practice guidelines affect multinational companies. If you add to that burden the US states, Canadian provinces, industry standards, corporate policies, and contractual requirements, you get more than will fit neatly in a chart or spreadsheet. The key to technology enablement is to automate an effective process. It has be said of automation is that, ”Automation applied to an efficient operation will magnify the efficiency, whereas automation applied to an inefficient operation will magnify the inefficiency.” Automation is needed for policy management, risk management, compliance management, incident management, monitoring, and internal control itself, if nothing else but to streamline the non-value added and administratively burdensome activities. The third objective is enabling Privacy GRC functions with technology to support their effective performance and monitoring.

These objectives form a triumvirate for Enhanced Privacy GRC. Organizations with a mandate for effective and efficient business processes need to formalize, monitor, and automate the functions in privacy programs and those that operationalize Privacy GRC within the business units themselves.

Requiring a structured view of Privacy GRC

With those objectives in mind, a structured and complete view of Privacy GRC is required. The Athena Privacy Framework offers a method to organize Privacy GRC. It is briefly illustrated below.

Starting at the Information Level as a foundation, the organization must understand and account for the processes that handle personal information, the entities that perform those processes (i.e., the first, second, third and even fourth parties), and the technology and media used to collect, create, use, store, and transfer the personal information. Without such an understanding, the organization cannot effectively apply controls or govern the use and protection of the personal information.

At the Control Level, the organization establishes business rules (e.g., through policies and procedures) over personal information, implements an environment of internal control, manages the technology and other parties involved, manages incidents and other events including those that might be indicative of a breach, and undertakes the training and education of users of personal information.

At the Management Level, the organization establishes the roles and responsibilities throughout the enterprise, identifies and assesses privacy risk, and establishes compliance functions associated with privacy and personal information.

Organizations with Privacy GRC In Place will have something in each of the components of the framework. Improvements in Privacy GRC from In Place to Enhanced will require changes not in what gets done but rather in how it gets done. Formalization, monitoring, and automation are key to evolving to Enhanced Privacy GRC.

And requiring the automation of key functions

Using the privacy framework, an organization can develop a comprehensive approach to automating Privacy GRC. With technology enablement in mind, key considerations include the following:

Many organizations focus on information in databases, servers, and workstations; the purpose for which the personal information is used, however, is key to determining privacy requirements, such as those for notice, choice and consent, subject access, and even process and application controls.

As legal entities are ultimately responsible for complying with privacy laws and regulations, and the nature of the legal entities is a factor in privacy risk. Entities include affiliated (e.g., parent, subsidiary, and peer companies) parties and unaffiliated (e.g., third and even fourth) parties.

The presence of personal information can be assessed for its appropriateness, and the protection measures for personal information in the different technologies may be assessed for adequacy.

Policy needs to be in the right hands at the right time. Policy management may automate the communications of policy, acknowledgement and certification to its objectives, and updates and clarifications over time.

In fact, without automation of internal control, both implementing it and monitoring it, an organization cannot effectively manage privacy. Many organizations need to move beyond automation of internal control solely for financial process and rather deliberately include the myriad of other business processes that use personal information.

Many organizations have insight regarding core technology assets but lack coverage of portable devices. As we see personal information being processed more and more in end user devices that are not within the direct control or custody of the organization, technology management becomes an increasingly important element of Privacy GRC.

Regulations over incident management and breach notification require effective approaches, which cannot be effective unless enabled with technology for recording facts and decisions, and managing workflow throughout the lifespan of an incident.

It is difficult enough to manage risk, compliance, and internal control within the organization. Tools, therefore, are critical in managing the processes associated with third parties with which you exchange or who access your personal information.

Many organizations already deliver some training and awareness through web-based learning tools, email, and intranets. The next step is monitoring progress and measuring the effectiveness of that delivery.

For many, the first step in improving governance will be formalizing it, especially within business units, and integrating that formalization into role and performance management systems. However, automating governance also involves integrating reviews, decisioning, and authorizations within business processes themselves. Enabling governance with technology, therefore, will involve its integration into other process automation throughout the organization.

This aspect of automation often involves applying enterprise risk management and IT risk management tools to specifically address privacy risk. Often the first step is using those tools to discretely address privacy-related risk, whereas more mature organizations will move to integrate privacy-related risk with the management of the other business risks faced by the organization.

An initial step to improving the performance of compliance is accounting for the various often-overlapping rules and regulations over personal information. However, real improvement can be seen when those overlapping rules and regulations are correlated so that internal control and monitoring can be rationalized. That rationalization is among the improvements with the highest potential in the effective performance of Privacy GRC.

Addressing these dimensions will help you move to an enhanced posture for managing Privacy GRC across the enterprise.

To achieve Enhanced Privacy GRC

Ten years ago, privacy management involved putting key elements of a program in place. Over the past few years, it has been about extending coverage of privacy functions and activities across the enterprise, with better integration with the information technology department and liaisons within various business units. For organizations with Privacy GRC In Place and coverage nearly there, the focus needs to include running the privacy function like you would other parts of the business: effectively and efficiently. A goal for Enhanced Privacy GRC in the new decade will require you to begin formalizing, monitoring, and automating privacy now.

About the authors

Hugh Kominars is Vice President of Managed Compliance Services at ControlCase. He may be reached at hkominars@controlcase.com.

Brian Tretick is Managing Director for Athena. He may be reached at brian.tretick@athenaprivacy.com.

Going Global: Privacy in the Fifth Dimension        

By Brian Tretick

Prepared remarks before the Federal Communications Bar Association International Telecommunications and Privacy and Data Security Committees

12 January 2011. Washington, DC.

It wasn’t until the 20^th century that we could even begin to put space and time together into space-time. We were comfortable with our three-dimensional view of space and understood time to be an independent dimension. Then—bam—with quantum physics, we needed to adjust our understanding of the universe. We now operate comfortably in four dimensions and have adapted to space-time. I contend that dealing with privacy while going global requires us to cross into a universe view that contains a fifth dimension that is neither spatial nor temporal. It is a dimension of international laws, regulations, social norms, and cultural behaviors that is really difficult to comprehend and operate in. I have been there, and at least we known they have oxygen.

We have covered most of the globe in tonight’s discussions, but the main challenge is Europe. The regulatory and social regimes, similar yet notably distinct across the 27 member nations of the European Union, extend to the non-Union members as well. The Asia-Pacific region confronts us as an obvious conglomeration of different economies and regulatory regimes. Europe seems to soothe us with a regime that is on its surface apparently homogenous when viewed from our current dimension, but underneath which we discover a bubbling and turbulent atmosphere of distinct, disparate, and dynamic environments that make managing privacy very complicated indeed. In fact, it cannot be effectively from here, but only by stepping into that fifth dimension.

Knowing that there is oxygen should be comforting. Also, knowing that our government is active to give us a sort of grand unification theory of privacy is also comforting, but that part of the future is a long way away.

You will need, however, to address some new issues in new ways in order to operate there. Here are a few of them to start with:

First and foremost, you must:

Comply with national privacy laws and regulations in your new markets. Your foreign affiliates need to be established so that they meet local, applicable laws and regulations in the jurisdictions in which they operate, both for customer information and for employee information. Different approaches are needed, just as we approach a relativistic universe differently than a quantum universe. They have gravity, for example, but it operates differently there.

Next, you must consider local diplomacy by:

Consulting with works councils and other employee representative bodies. In Europe, it is common that these bodies have a consultative role in how employee information is processed, notably when it comes to trans-border transfer. In the US, for example, we only have company softball teams and they don’t have a clue about privacy. So, the diplomacy you use should be thoughtful and begun early.

To comply locally, you will in all probability need to:

Seriously challenge your US-oriented approach. Many US-based organizations, on going global, find that their original policies and standard operating procedures are very US-focused. It will not be enough to establish policies and procedures for your foreign affiliates, but also will require you to review, rethink, and revise your corporate policies and procedures so that they are useful in your new markets. It’s not uncommon for privacy policy, security policy, records management policy, acceptable use policy, and a host of similar corporate regimes to be parochial and limited in their world view. Even website privacy statements will need to be revisited to address your global market. We have had such a 4-dimensional space-time view of the universe to date, and it will absolutely not work across dimensions. Period. It is time to adapt.

The next issue to address, once the local issues are understood, is to deal with trans-dimensional flow. Specifically, you will need to:

Legitimize the trans-border transfer and processing of personal information. In the US, personal information can come and go as you please, thank you very much. It’s second nature just to transfer it between operating locations and with service providers. But when we factor Europe into the mix, there is no room for our second nature anymore. Every transfer of European personal information, each hop from entity to entity and location to location, must be legitimized. Safe Harbor, model contracts, binding corporate rules, and contracts and more contracts—some combinatorial cocktail of these techniques—is needed to cover a complex multinational corporation. It is rare that one technique suffices, and it’s seldom easy. Outsourced and offshore operations, shared service centers, consolidated websites and global ecommerce platforms, and global systems and processes challenge our ability to understand and account for such a tangled web of information flows and processing. In a US-centric view, the concept of legitimizing the transfer and processing is alien indeed. It is, however, the crux of making privacy work when going global.

Compliance is not done, however, until the paperwork is done. This involves:

Registering, notifying, and seeking authorization from data protection authorities. Once you can decipher the alien glyphs and languages, registrations and notifications are fairly straightforward processes but still they are difficult to manage consistently. Some of your transfers, however, will likely require the additional, time-consuming steps associated with seeking authorization from some of the authorities. You should look to local counsel and well-organized files to help you establish and maintain your regulatory filings. However, we heard that these filings need to be completed before you actually need them, before you begin your transfers—so begin as well to investigate how to time warp backwards.

After dealing with the local issues and the trans-dimensional flow, you will need to address your control environment by:

Aligning your internal control and audit strategies to the international dimension. Each of the primary tools used to legitimize transfer and processing—such as Safe Harbor, model contracts, and binding corporate rules—involves first applying procedures and controls that may be new and different for your organization, and then validating them periodically, such as through audits. This not only requires them to be in place and operating effectively over time, but more of a challenge it requires others in your organizations to understand and recognize the new regimes. These cultural and institutional changes may be your most challenging.

At this point, you would have recognized the differences across dimensions and accounted for both the new operating environment and the trans-dimensional flow of information. It does not, however, stop. A dynamic and changing universe brings new operating conditions, new rules, and changes that must be addressed continuously.

In fact, we need to prepare ourselves for the establishment of other dimensions where neither a US-centric view nor even a somewhat common European view will suffice, as the privacy regimes of the Asia-Pacific region and South America continue to form and evolve. It will result, I am sure, in a never-ending pursuit for regulatory compliance and effective operations across the universe.

Thank you.

About the speaker

Brian Tretick is Managing Director for Athena. He may be reached at brian.tretick@athenaprivacy.com.