About that claim that detecting Adblock may be illegal

Last week Twitter lit up when the European Commission indicated anti-adblocking technologies like BlockAdblock may be “illegal”.

Before getting into why this position is based on a technological misunderstanding of how adblocking detection works and how the EC was led to its position by one agenda-driven privacy entrepreneur, let’s get a little background information out of the way:

The 2009 ePrivacy Directive

In 2009 the EC passed the “ePrivacy Directive” as part of their Regulatory Framework for Electronic Communications. Among other things, the ePrivacy Directive requires any website using cookies to get user permission before setting or retrieving any persistent data.

Section 5.3 of the ePrivacy directive (also commonly called the “Cookie Law”) reads as follows:

 “The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent…”

As you most likely already know, browser “cookies” are persistent, locally stored user-specific data files which survive a single website visit (outside of a standard browser cache), and can be used to identify individual website visitors. Cookies can last for indefinite periods of time. A website can store your user specific data in your browser in the form of a cookie, and access it on your next visit — even months or years later. While some cookies may be used as part of advertising “tracking” systems, others are provide a vital part of basic website functionality allowing for both customization of website services and the ability to store user settings and preferences for subsequent visits.

One must note however that the rule does not use the term “cookie”. Instead, the ePrivacy directive calls for user approval before storing or retrieving “information” on a user’s browser.

But what exactly does “information” mean? Is information restricted to cookies? Might all web content be considered “information”? If so, how about images, fonts and article text? Does that mean that every website on the internet would require permission regardless or cookies?

We’ll get to those questions later.

An activist’s spin

Last week’s confusion started when privacy activist, Alexander Hanff revealed his cleverly crafted query to the EC regarding the scope of section 5.3 of the ePrivacy directive. While I don’t have a copy of Hanff’s original request, we can see it referenced here in the EC’s response:

Hanff’s strategic (and misplaced) use of the word “storage” intentionally loads the question. By framing the question this way, he suggests that anti-adblock technology works something like a cookie, somehow involving “storage”. Hanff’s entirely misleading premise here is that “scripts”, like cookies, must be stored and retrieved as part of their normal function.

Not so fast.

How does Javascript detection work anyway?

Adblock detection scripts (which are almost always “inlined” and do not even exist as separate or distinct files) are no more “stored” than any other piece of web media, and are demonstrably less stored than standard stand-alone javascript (.js) files. At the outset, Hanff’s question mis-represents the basic action of browsers by conflating the unrelated concepts of inline javascript execution with the storing and retrieval of persistent data.

Hanff leads the EC down a circular path by incorrectly asserting that persistent “storage” is part and parcel of a script’s basic function and then reflexively asking if laws governing storage might then apply.

His question is based on a false premise.

It’s important to understand what Adblock detection Javascripts can and can’t do:

1. Anti Adblock scripts do not (and can not) report specifically which ad blocking plugins are installed on a user’s system. They are not a type of installed software, capable of reporting what users have installed on their systems. As much as I may wish otherwise, Javascript has no way of “knowing” with 100% certainty whether a user is blocking ads — let alone using Adblock, Adblock Plus, AdGuard, Ublock Origin, or any other specific ad blocking plug in. To suggest that an anti-adblocking script is “reading user data” or “reporting on settings” is grossly inaccurate. Javascript knows only what it is permitted to know by the browser.
2. Anti Adblock scripts can only ever make educated guesses based upon the performance of a user’s browser. Those guesses by definition can never be made with 100% certainty, and those guesses are made by using the same standard javascript functionality that is used by millions of websites which don’t detect javascript. Javascript feature detection is a vital part of most modern web pages. (We’ll get to some examples below).
3. Anti Adblock scripts do not require persistent storage (or installation) on a users’ system to function.

The EC’s response

Despite Hanff’s obvious misuse of the word “storage”, and his misrepresentation of the behavior of Javascript itself, the Commission clearly didn’t hesitate to lunge at the opportunity to increase the scope of it’s provision:

“Storage by websites of scripts“?

There are so many things wrong with this it’s hard to know where to begin. Obviously the EC took the ‘bait’ of Hanff’s characterization of scripts being “stored” and leapt to the conclusion that their “Cookie Law” should therefore have bearing on not just cookies, and not just all Javascript — but all web media.

Why is the word “stored” even in the EC’s response? This obvious effort to insert the “square peg” of inline javascript into the “round hole” of the Cookie Law doesn’t even begin to make sense.

To be clear: Anti Adblock scripts do not need to be stored. Nor do they retrieve “stored” information of any kind.

And even if they did…

All browsers store media

All website data including images, text, CSS and some javascript are stored in the browser cache with every visit. To be clear: The very act of browsing the web is one and the same as the act of storing and accessing locally stored data via the cache. On any standard web browser window, to browse is to store.

If section 5.3 of the ePrivacy Directive is to be extended to non-cookie information, then the basic activity of web browsing itself (which uses caching) must of course be included. If as the EC now claims, the term “storage” is to be applied to all “information” (ie: any media of any kind) viewed by a web browser, then all websites must ask user permission whether or not they use cookies at all because the basic function of browsing involves storing information. Obviously this falls well outside the intent of the original ruling which centered on cookies and user-specific data, not the basic content of websites themselves.

But scripts don’t even need to be stored to execute

Secondly and more importantly, the action of anti-adblock scripts has nothing at all to do with persistent client storage of those scripts. Nor does Javascript have the ability to report on the presence of plugins by virtue of those plugins being stored. Ad blocking plugins alter the behavior of the browser and that behavior is detectable.

Even if the browser didn’t store any javascript across sessions, those scripts would function equally as well.

There is no connection whatsoever between persistent “storage by websites of scripts in users’ terminal equipment” and the function of said scripts.

But that’s not where things really fall apart with Hanff’s (and the EC’s) confused position.

All advanced websites detect browser settings and features

As discussed above, due to basic browser security restrictions, Javascript has no ability to ‘report’ plug-in information and can only make educated guesses about which plugins are installed based upon what browsers publicly reveal. The EC clearly misunderstands the mechanism by which anti adblocking scripts function: They are not stored (or installed) — and they do not directly report or reveal system settings like a browser plugin does.

But that doesn’t mean that javascript can’t safely report myriad pieces of browser information. Tens of millions of websites do detect other browser information as part of their normal operation.

Here’s a quick (and incomplete) list of the types of javascript detection that are extremely standard across the Internet:

• Detecting Flash
• Detecting Java
• Detecting the language of the browser
• Detecting the screen size of the browser window
• Detecting the screen resolution of the client device
• Detecting the operating system of the browser
• Detecting the type of browser
• Detecting the version of the browser
• Detecting whether the user is visiting from mobile or desktop
• Using reverse IP lookup
• Detecting whether the browser is capable of session storage
• Detecting whether the browser is HTML5 capable
• Detecting the color depth of the browser
• Detecting available system fonts
• Determining if a browser is touch-capable

I could go on, but you get the point: Javascript detection of browser capabilities is a standard and extremely important part of basic website functionality — without which the functionality of most websites would be reduced to circa 1996.

The means by which web publishers defend themselves against ad blockers is absolutely no different from the above examples of Javascript feature- and browser behavior-detection.

More silliness…

Hanff goes on to inquire about Recital 66 of the Citizens’ Rights Directive. Again, both Hanff’s question and the EC’s response show a lack of understanding of the mechanism by which anti-adblock defenses work:

Clearly both Hanff and the EC believe that anti-adblock defenses somehow directly access information “stored” within a browser.

To which I would ask: Please identify the specific stored information that is being accessed.

Making an educated guess based on browser behavior is absolutely not the same as accessing stored information. The conclusions reached by the EC are the result of a mischaracterization of anti-adblock defense technology — either intentional or otherwise.

The exceptions: It’s all subjective anyway

Lastly: Never mind for a moment that the ePrivacy Directive’s “Cookie Law” should have no bearing whatsoever on anti-adblock defenses which neither access stored data, or represent stored data themselves — the Cookie Law contains footnoted “exceptions” which render the entire law rather uselessly subjective.

Number two explicitly states that the law does not apply when the storing of data is “strictly necessary” in order for the provider to provide the service.

Here in the real world of non-taxpayer funded entities, one typically counts the existential financial viability of a newspaper among its necessities. If without advertising revenue the “service” itself would cease to exist, then the defense of vital and life-sustaining revenue streams are clearly “necessary” to provide the service. So even if anti-adblock defenses did “store” and “access” locally stored information (which they do not), it would appear that the ePrivacy Directive would protect the right to store and access data when said actions are “necessary” to provide the service.

The irony is

On the other side of the pond it’s quite clear that Adblock Plus and other adblockers are in direct violation of the US DMCA’s anti-circumvention rules. New updates to multiple ad blocking applications continue to bring new, purpose-built anti-access circumvention technologies designed solely to bypass publishers’ access controls to copyrighted content. Still though, much of the publishing industry’s legal firepower continues to aim in the wrong direction by questioning whether ad blocking is legal or not. (Which of course it is. Anti-access circumvention on the other hand, is quite clearly not under the US DMCA).

[As a side note, it was amusing and predictable to see Eyeo shunt its EasyList from the AdblockPlus.org domain over to GitHub in an effort to create a little legal-distance between the two entities last week. Their lawyers would seem to be earning their keep]

I’m looking forward to seeing this issue get legs in the US, where the DMCA tilts the field in the opposite direction.