Today I filed a formal complaint against #YouTube with the Irish Data Protection Commissioner for their illegal deployment of #adblock detection technologies.
Under Article 5(3) of 2002/58/EC YouTube are legally obligated to obtain consent before storing or accessing information already stored on an end user's terminal equipment unless it is strictly necessary for the provisions of the requested service.
In 2016 the EU Commission confirmed in writing that adblock detection requires consent.
MiKlo:~/citizen4.eu$💙💛 reshared this.
Alexander Hanff
•You can help by filing your own complaint here:
https://forms.dataprotection.ie/contact
The more complaints the DPC receives - the quicker they will act.
You can use my complaint to help write your own (attached).
#privacy #surveillancecapitalism #advertising #cookies #consent #law
Data Protection Commission
forms.dataprotection.ieAlexander Hanff
•I cannot stress enough how important it is for you all to take the 5-10 minutes it takes to file this complaint.
If the Irish DPC receives only my complaint they will likely not pay it any attention for at least 18 months if at all - but if they receive 10 000 complaints it will seriously eat into their budget (it costs money to handle complaints) and will "motivate" them to act much faster.
If they receive 100 000 complaints - YouTube will be forced to stop this very quickly indeed.
A* Ulven :verified_blobcat:
•hi Alex. IANAL, but I don't really see what adblock detection has to do with accessing information stored on a device. The way they implemented this is likely giving unique ad IDs, and then checking if connections are being made to those IDs, when you load the page. If not, then it's obvious what is happening.
Look, I dislike this YouTube move as much as you, but I really don't think GDPR is appropriate to handle this. This does seem more like a case of a business rejecting customers by not providing them with the requested service at their discretion. This, by the way is fully legal, as long as it is not a targeted campaign against protected minorities (women, LGBT, refugees), which very clearly isn't the case.
Can you elaborate further on why you think GDPR applies here?
Alexander Hanff
•I am not asking what they are doing - I know already what they are doing from a technical perspective; and I am not asking if it is illegal, I already know it is illegal as I am an expert on this particular law, helped to write its replacement and already had confirmation from DG Just (EU Commission) that the law applies in the way I have stated.
I also never said anything about GDPR - this is not a GDPR issue.
But thanks for your input 😀
Alexander Hanff
•oh and I have a Masters in Law focused on privacy and data protection laws and am an expert advisor to multiple EU institutions on matters of privacy/data protection and cybersecurity law and technologies.
I am also a computer scientist with 30 years experience and a sociologist with my studies focused on the impact of technology on society (with a specific focus on privacy and related human rights) and my computer science degree was a double major with psychology
Alexander Hanff
•so I am pretty clued up on these issues (to say the least) and am regarded as one of the foremost experts in the world on this particular law.
As such, please don't try to teach me how to suck eggs 😀
A* Ulven :verified_blobcat:
•I understand.
However, I do see, unfortunately, lots of people throwing laws around to try to stop something that is completely legal but they personally dislike.
With that being said... You haven't really justified anything. I believe you have a lot of experience and know very well what you are doing: good for you. But I still do not understand why you're framing it this way.
In particular, I would like to know exactly how they're doing this, on a technical level, since you mentioned you know perfectly well (and I only have a vague intuition, admittedly).
I may not be as academically achieved as you are in regulatory fields, but I do have a CS degree, and more than a decade working with Internet-connected systems, specifically in the areas of computer security, which of course includes handling PCI, PII, and GDPR data in a secure manner. I am sure I would be able to understand how YouTube has implemented this on a technical level in a way that contravenes the law.
Alexander Hanff
•A* Ulven :verified_blobcat:
•I had read your excerpt:
"Under Article 5(3) of 2002/58/EC YouTube are legally obligated to obtain consent before storing or accessing information already stored on an end user's terminal equipment unless it is strictly necessary for the provisions of the requested service."
And explicitly mentioned earlier I fail to make the connection between this specific paragraph and anti-adblock technologies.
Is there something I am missing? I am not really willing to read the entirety of the ePrivacy Directive, because, and I'm sure you'd understand:
- the vast majority of the document is not relevant to the way YouTube implements their anti-adblock techniques
- you specifically are the subject matter expert, and I believe it is less work for you to show me how the connection is made than the time I'd have to invest reading the document in full, possibly still not arriving to a conclusion, which is the point of this exchange in the first place
Alexander Hanff
•in order for YouTube to detect the use of adblockers, they are using javascript in the client to detect various behaviours.
The deployment of that js file itself requires consent, the running of the javascript within the browser to ascertain how the browser is behaving also requires consent - there is no other legal basis available under the relevant law.
There is no escape clause here for YouTube, we have EU case law which is binding on *all* Member States supporting this.
Joe Mansfield
•If that is the case then most websites are also in breach of the same law. Virtually nothing works if you disable client side JavaScript, which by definition has been loaded ( from the remote) and executed locally in your browser.
I’ve never seen a single consent screen for that. In fact, I reckon every consent screen implementation out there would be in breach of that.
So why pick on YouTube’s ad-blocker?