Archive for October, 2011

Targeted online advertising – are you aware of how it works?

A couple of weeks ago, I was looking at flights and hotels for a trip to Reykjavik this January. One of the websites that I visited was hotels.com, following a link from the Tripadvisor website.

This morning, I read an article on the Guardian website about the recent overhaul of the Independent website. At the foot of that article was the following advert:

Screenshot on Guardian website of hotels.com advert for hotels in Reykjavik

Is it simply a coincidence that the advert the ad server served up (perhaps based on my Google search history) happened to be for hotels in Reykjavik from one of the websites that I visited when booking that trip?

Or does behavioural advertising now go deeper than I thought, and was this served up by hotels.com based upon my recent searches on the hotels.com website?

How does the system work?
Delving into the Guardian’s privacy policy, it appears that it is the latter.

The Guardian is a member of an online behavioural advertising system provided by a company called Audience Science. Audience Science appears to have many partners – from media/news sites to retailers (although hotels.com doesn’t appear to be on the list of advertisers, it is mentioned in a recent press release), each of whom share information on your use of their websites to allow the others to provide targeted advertising.

What I hadn’t previously considered, and find slightly disturbing about this is that the (very wide-ranging) list of partners in Audience Science’s network will continue to expand. However, once you’ve opted in to the system and accepted the cookie, you are unlikely to be aware of subsequent changes (or really have much idea about what information is being shared and with whom). This means that you could be using one website unaware that your browsing habits could subsequently influence advertisements served up on another site. There is no “Audience Science member” flag.

Retargeted advertising
But I don’t think that the advert I saw this morning was served up through the Audience Science system. I think it was another system used on the Guardian website called “retargeted advertising”, provided by an organisation called Criteo. Here is what the Guardian’s privacy policy says about it:

For example, if you have visited the website of an online clothes shop you may start seeing ads from that same shopping site displaying special offers or showing you the products that you were browsing. This is allows companies to advertise to website visitors who leave their website without making a purchase.

Again, I don’t ever remember consciously opting in to this system. Clearly, I must have accepted a cookie at some point (or passively accepted hotels.com’s privacy policy), but wasn’t aware that by doing so hotels.com was going to chase me around the Internet.

Interestingly, according to Criteo’s privacy policy, the only way of opting out of the Criteo program is to accept a permanent cookie. So if you don’t like cookies, but don’t like your Internet usage being tracked then tough.

Maybe the European Commission is right about the lack of transparent information for users and the recent change to laws governing the use of cookies isn’t so crazy after all?

What do you think? Is behavioural advertising A Bad Thing? Do you think it impedes on your privacy? Is it ok provided that you understand how it is being used?

PS I got the Hotel Thingholt much cheaper on Expedia.

PPS Luckily, the trip wasn’t intended to be a surprise.

PPPS The Internet Advertising Bureau allows you to centrally control your behavioural advertising preferences for services provided by its members here.

Technology vs risk – brave new world or 1984?

I have just returned from what was a highly interesting Society for Computers and Law 11th Annual Conference in Bath.

An 8.05am flight from Edinburgh Airport on Friday morning saw my contentious IP colleague Iain Rutherford and me arrive in Bath in time for morning registration. I had hoped for the chance to jump straight into the hotel spa, but instead we jumped straight into The Law!

This year’s conference sought to address the relationship between technology and legal risk, and while an in-depth summary of the topics, the speakers and their views might be in danger of breaching the Chatham House Rule, I think it’s safe to mention the excellent after-dinner speaker, John Naughton, Professor of the Public Understanding of Technology at the Open University.

Prof. Naughton discussed the dystopian accounts of technology forecasted in both Orwell’s 1984  and Huxley’s Brave New World, and concluded that we are in danger of being simultaneously “oppressed by the things we hate” (as predicted by Orwell) and “oppressed by the things we love” (as predicted by Huxley).

Prof. Naughton implored the attendees to think about using their influence in order to ensure that technology is adequately legally regulated in order to protect the freedom and privacy of individuals.  Reflections were admittedly hard to come by in the spa’s jacuzzi, but I think that the notion that freedom and privacy are in danger is an unsettling one.   

1984 is one of my favourite ever novels, and I have yet to encounter another book which has a scene more spine-tingling than when the painting falls off the wall to reveal the telescreen.  Let’s hope that ourselves, or generations to come, never actually experience anything like that.

ASA ruling on misleading price information on a website

The Advertising Standards Agency (ASA) has upheld a complaint against Warwick Castle on the way it displays pricing information on its website. This decision highlights the general move towards transparency of pricing following the Office of Fair Trading’s recent investigation into payment card surcharges in the airline industry.

In this case, the Warwick Castle website stated that visitor prices were “from £10 excluding VAT, plus VAT of £2.00, total £12.00”. This in itself, isn’t terribly clear, however, on purchasing the tickets customers were then faced with an additional £1 or £2 payment fee, depending on the payment method used for purchase.

The complaint was referred to the ASA for adjudication on the following grounds:

  • That the prices initially quoted did not include the mandatory card fee; and
  • That the website provided VAT exclusive prices.

On the first point, the ASA found that Warwick Castle had clearly breached the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing (the “CAP Code”). The ASA also found the pricing information clearly misleading and stated that the initial prices should have included the payment surcharge as there was no option but for customers to pay this if they wanted to buy a ticket to the attraction.

On the second point, despite the fact that Warwick Castle put forward a slightly bizarre explanation for displaying the VAT exclusive pricing (that this was part of a campaign to seek a review of VAT charges applicable to tourist attractions) the ASA found that this practice was also in breach of the CAP Code. Under Rule 3.18 of the Code VAT exclusive pricing may only be given if all or most consumers pay no VAT or can recover VAT. As this was not the case here, Warwick Castle were in breach.

The key thing to take away from this is to ensure that if you are displaying prices on a website, that these prices are straightforward, transparent and represent the total amount that the consumer will pay. In addition, it is useful to note that displaying too much information (such as unnecessary breakdowns) is just as likely to find you in front of the ASA board as if you display too little pricing information upfront.

(but actually written by new TIO Group assistant Leigh Kirkpatrick – who will become a full Techblogger soon).

The curious incident of the government minister in the park

Most Techblog readers will now no doubt be aware of this morning’s breaking news story involving government minister and Conservative Party manifesto drafter, Oliver Letwin.

Essentially, in what is quite a bizarre story, Mr Letwin was spotted disposing of “papers” in various bins around St James’s Park – stone’s thow from Downing Street and Whitehall.

Downing Street’s initial response was that the papers related to constituency business and weren’t “sensitive”. “Sensitive personal data” they may not be (we don’t yet know), but that doesn’t mean that the rules set out under the Data Protection Act do not apply – leaving personal information in public bins is very much frowned upon by the Information Commissioner.

The data protection principles
If the letter is from a constituent then it will contain personal data relating to that constituent and (potentially) matters personal to them, in respect of which he or she is seeking his or her MP’s assistance. As all good data protection lawyers know, the seventh principle says that “appropriate technical and organisational mesaures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

In this case, it’s difficult to see how disposing of papers in a public bin could constitute appropriate steps to ensure unauthorised access.

Personal liability
If the papers do relate to constituency business then Mr Letwin will be personally liable for any breaches of the DPA that have taken place. This is because he is the data controller – each MP is the data controller in respect of his or her constituency business (the ICO doesn’t allow you to deep-link to individual data controller notifications, but if you go here and search for registration number Z9233035 then you’ll find Mr Letwin’s notification).

As far as I’m aware, the ICO has not yet exercised its power to fine in relation to a non-corporate/public authority data controller. Given the prominence of this incident (until Mr Letwin’s cabinet colleague Liam Fox magnanimously knocked him off the top of the headlines), I will watch the Information Commissioner’s investigation with interest.

In the meantime, someone from the Cabinet Office may wish to attend to this.

Improving public records: the Public Records (Scotland) Act 2011

Last Tuesday I attended the Public Records Conference in Edinburgh, and delivered a presentation on the potential legal implications of the new Public Records (Scotland) Act 2011 (the “PRSA”).

The PRSA is intended to “make provision about the management of records by certain authorities”. The theory is that there is a moral imperative to improve record keeping in Scotland, and that the data protection law and freedom of information regimes are only as good as the records which are kept.

In his keynote address, the Keeper of the Records of Scotland Mr George MacKenzie mentioned that records keepers hate the stereotype of “dusty archives”. When it came to my turn to speak, my opening line was, pointing to my grey suit – “I worked at the Registers of Scotland for 4 years – when I started at the Registers, this suit was white”.

After that it was down to serious law, and the headlines of my presentation were as follows:

  • The public authorities to which the PRSA applies are set out in the Schedule. The voluntary sector will only be involved in complying with the PRSA when and where they are contracted by a public authority to perform a public function. The concept of “public function” isn’t defined in the PRSA and could prove controversial. Should the public sector start making provision in contracts for private providers to comply with the PRSA?
  • Public records are those created by a public authority in carrying out its’ functions. They’re also records created by or on behalf of a contractor in carrying out the authority’s functions (this is not intended to include persons who provide goods or services, but does however mean that authorities must arrange for managing contractors’ records as well as their own). Finally they’re also records created by any other person that have come into the possession of the authority or a contractor in carrying out the authority’s functions (examples include correspondence, reports, evidence or statistics which relate to the function).
  • Authorities must create records management plans, “agreed” with the Keeper. The issue here is about selecting someone at senior enough level to be taken seriously in driving this forward. This is a resource burden for public authorities and others and may require investment in training.
  • By the end of 2011 the Keeper will issue guidance to authorities about the form and content of records management plans. s. 5 of the PRSA provides that a plan will be reviewed not earlier than 5 years after the date of last review. However under s. 6 at any time Keeper may carry out a records management review to check on compliance. The triggers for this ad hoc checking of a plan aren’t clear.
  • If the authority fails to comply with any of the requirements of the PRSA, the Keeper may take such steps as Keeper considers appropriate to publicise the failure. Unlike the Data Protection Act, there are no monetary penalties for failure to comply. There is therefore a suggestion that the PRSA may be “toothless”.
  • The PRSA is intended to be complimentary to the Freedom of Information (Scotland) Act (“FOISA”).  FOISA is a model publication scheme, while the PRSA is a model records management plan. The list of organisations to which FOISA and PRSA apply are different.  The PRSA seeks to support FOISA, but it will not in any way impinge on FOISA or bring about a change in Schedule 1 of FOISA.

The full guidance notes for the PRSA can be read here.

It became clear during the conference that, at the outset at least, the PRSA is going to be enforced in a collaborative fashion. I don’t think we will see authorities being publicly censured for failures to comply, in the short term at least. It is scheduled to come into force at the start of 2013.

If you’d like more information, or are interested in some training on the PRSA for your organisation, then please email me or your usual TIO Group contact.

What happens next? The ECJ, the Football Association Premier League, and tv rights

The European Court of Justice (“ECJ”) gave a preliminary ruling yesterday which may have wide–ranging consequences for the licensing and broadcast of copyright material across Europe.

What’s it about?
The ruling actually relates to two cases in which the UK High Court stayed proceedings in order to refer questions to the ECJ about the correct interpretation of law. The questions broadly concern the use of foreign decoder cards by UK pubs to screen English Premier League Football matches. “Football Association Premier League v QC Leisure and Others” concerns the legality of importing foreign decoders, while “Karen Murphy v Media Protection Services” concerns the eponymous Karen Murphy using a Greek decoder in her Portsmouth pub, because subscribing to a Greek broadcaster is cheaper than subscribing to the UK rights-holder Sky.

The Football Association Premier League (“FAPL”) is objecting to the use of foreign decoders and subscription to non-UK broadcasters because it grants its licensees the exclusive right to broadcast matches of the Premier League and exploit them economically within their respective broadcasting areas – generally the country in question. In order to safeguard this exclusivity, each licensee is required to encrypt its satellite signal and to transmit it in encrypted form to subscribers within its assigned territory. The program is decrypted with a decoder card.

The applicable law here is not straightforward. The kind of questions referred to the ECJ included whether decoders were “illicit devices” under the Conditional Access Directive, whether a football match could be classified as a copyright work under the Copyright Directive, and whether the FAPL’s exclusive licences were restricting competition.

What did the court say?
The answers to the above were “no” (because foreign decoders don’t permit free access to protected services), “no” (sorry Lionel Messi, but the ECJ believes that “football is subject to the rules of the game, leaving no room for creative freedom for the purposes of copyright”) and “yes” (“agreements which are aimed at partitioning national markets according to national borders or make the inter-penetration of national markets more difficult must be regarded, in principle, as agreements whose object is to restrict competition”).

Overall the ECJ reckoned that “such partitioning and such an artificial price difference to which it gives rise are irreconcilable with the fundamental aim of the Treaty, which is completion of the internal market.”  Where this leaves the concept of territorial licensing for any kind of copyright material is unclear. We may be seeing the first step towards pan-European licensing for sports, film and music, with consortiums of broadcasters bidding for rights.

What does this mean for the FAPL and the letting of broadcast rights?
The consolation goal for the FAPL is that the ECJ acknowledged it can assert copyright in things such as the opening video sequence, the Premier League anthem, various graphics and so on. This means that, in theory, pub landlords like Karen Murphy may still need to get permission of the FAPL to show these elements. This could lead to the FAPL devising a strategy to have as much copyright-filled material during the games as possible, in order to stop pubs from still subscribing to foreign broadcasters and just showing the matches.

However, even if the matches are filled with FAPL copyright material, surely such material would still be incidental to the match being broadcast, falling within the exemption in section 31(1) of the Copyright, Designs and Patents Act 1988: “Copyright in a work is not infringed by its incidental inclusion in an artistic work, sound recording, film or broadcast”?  There’s a suggestion that the FAPL may even resort to having its’ logo flit randomly about the screen, like a menacing and unpredictable “False 9”! It will be fun to see “what happens next”!

PS apologies for reporting this a whole day after the ruling, but I needed to find time to actually read the thing and work out what it meant. I suppose I could have written something broad in advance, with made-up quotes, but I’ll leave that to the Daily Mail.


Twitter: @BrodiesTechBlog feed

October 2011
M T W T F S S
« Sep   Nov »
 12
3456789
10111213141516
17181920212223
24252627282930
31  

%d bloggers like this: