Are "AdBlockers" detectors illegal?

The "AdBlockers" block the display of advertising on a website. Detectors "Adblockers" can detect users of these "AdBlockers" and prohibit (more often) navigation in case of positive detection.

But is it legal?


Tube with AdBlock installed (cc Yuriy Akopov)

Tube with AdBlock installed (cc Yuriy Akopov)

Chapter 1. Why this question?

While walking on Twitter, I came across this article: Outlaw publishers when they target adblockers?

Section 1.1. The content of this article

This article quotes Alexander Hanff, a privacy consultant and campaigner for the Think Privacy movement:

Detecting that a user uses one is a violation of European law. I spent this last year talking to regulators across Europe who confirmed it all to me, he says. The detection of an adblocker is technically illegal. All these sites that post warning messages to users, such as The Guardian, are technically illegal if they use scripts.

Devil…

But what would be the legal basis for such an assertion?

Section 1.2. Should we believe this article?

For me, as it stands, this statement is as valuable as "the use of spaghetti is illegal, my cousin told me” .

Being a lawyer means justifying what you say and, failing that, our developments have no value.

I am not saying that this statement is necessarily false, I am simply saying that it has no weight because it is unsupported.

Chapter 2. How Adblockers and AdBlockers Detectors Work

To understand the legal developments that follow, it is important to understand how technically it works.

The vast majority of Adblockers are Web browser plugins (such as Adblocker plus) and remove web pages displayed in your browser from HTML tags containing content that they identify as advertisements.

For example, content like this can be removed from the web page:

Conversely, the vast majority of Adblockers detectors are JavaScript (contained in the page you are viewing) and will verify that the tags in question are not deleted or hidden.

Of course, I do not pronounce for all Adblockers or for all Adblockers detectors on the planet, but I went to look at the source code of some "well known" (Like Adblock More) and that's how they work.

For clarity, I specify that the JavaScript codes are executed locally to the browser and that the sending of information to the source server is not necessary.

Operation of Adblockers detectors

Operation of Adblockers detectors

JavaScript scripts are very common on the Internet and it is not uncommon for a Web page to contain between 10 to 50 scripts to be able to be correctly displayed.

Chapter 3. Ideas for reflection

While chatting on Twitter, I was told two tracks that we will dig together.

Section 3.1. Computer law and freedom

Some have mentioned the fact that these tools (ie Adblockers detectors) would be illegal for lack of consent of the user regarding the processing of his personal data.

I do not share this view for at least two major reasons.

3.1.1. Personal data ?

First of all, I do not think such processing manipulates personal data.

Personal data is defined by theArticle 2 of Law 78-17 :

Personal data is any information relating to a natural person identified or which can be identified, directly or indirectly, by reference to an identification number or to one or more elements of its own.

Here, the only data that is normally processed is the browser configuration: does it contain a tool that removes ads?

In my opinion, detecting the presence of an Adblocker tool does not identify a natural person, directly or indirectly.

For the CNIL, a data becomes personal when the identification of a person becomes possible (possibly after cross-checking): name, first name, photos, IP address, etc.

This is not the case here, because at most you can divide the population of the planet into two categories: those who use an Adblocker and those who do not use it ... I do not see how one could then identify a nobody.

As an illustration, the CNIL considers that is not a personal data (and therefore is exempt from consent) a geolocation of a user of a website "no more accurate than the scale of a city” .

How does knowing a binary information about a person (Adblocker or not) be a personal fact while knowing a person's city would not be?

Moreover, under this hypothesis, we would arrive at an ubiquitous situation. If the determination of the presence of an Adblocker was a processing of personal data, all of these common actions performed on the Internet by web developers should also collect the consent of the user:

  • dynamically change the display of a website to fit the screen of a phone or tablet;
  • dynamically change the language of a website based on the browser language of the user;
  • determine the version of a browser to send him a website as "as compatible as possible";
  • ...

3.1.2. Responsible for treatment

Even if the determination of the presence of an Adblocker would be a processing of personal data, I do not think that the consent of the user is necessary.

It must be understood that the computer law and freedom 78-17 was thought to frame the use than a third could do with our personal data.

In this case, and if the JavaScript only determines the presence of the Adblocker, the person who performs the treatment is not a third party: it is you through your browser (yes, I know ... c is vicious, but it's technically right).

You then keep the complete possession of your data: in the case of a conventional Adblockers detector, no data is transmitted to the server.

So two things one:

  • the controller (within the meaning of the law 78-17) is the user (ie you): I do not see why consent should be collected;
  • the controller (within the meaning of the law 78-17) is at the level of the "server": the "personal data"Does not allow identification since it is not transmitted to the controller (seeArticle 2 of Law 78-17):

In order to determine whether a person is identifiable, all means must be considered in order to allow his identification. available to or at the disposal of the controller or any other person.

Section 3.2. Directive 2002/58, Article 5 (3)

In our reflection on Twitter, we also mentioned Article 5 (3) of the Directive 2002/58 / EC :

Member States shall ensure that the use of electronic communications networks for the purpose of storing information or accessing information stored in the terminal equipment of a subscriber or user is permitted only if the subscriber or the user, is provided, in compliance with Directive 95/46 / EC, with clear and complete information, among other things about the purposes of the processing, and that the subscriber or the user has the right to to refuse such treatment by the controller. This provision shall not preclude technical storage or access aimed exclusively at making or facilitating the transmission of a communication over an electronic communications network, or strictly necessary for the provision of a communication service. information society specifically requested by the subscriber or the user.

Under this formulation hides the consent of the user when using cookies.

Nevertheless, it must be emphasized that an Adblocker detector and a cookie work in a very different way.

A computer "cookie" is a kind of small file that will store information (for example, on the user) and will transmit it to the web server when browsing.

How cookies work

How cookies work

Therefore, the information stored in the cookies are transmitted to the server throughout the navigation of the user: this technique allows in particular to track / track a user.

It is for this reason that the legislator wished to frame this practice in order to avoid a generalized tracking of the Internet users.

In this case (ie Adblockers), all treatments are normally performed local. Therefore, no transmission is made and the analogy of the cookie can not apply in my opinion.

Moreover, to be convinced of this, it is enough to read carefully Article 5 (3) of the Directive 2002/58 / EC : “in order to store information or access to information stored in the terminal equipment of a subscriber or user ". No storage is done on the browser (everything is dynamic), no data is accessed by a third party.

Chapter 4. Conclusion on legality

As you will have understood, I do not share the opinion of some people concerning the illegality of such conventional detectors at the look texts on privacy and cookies.

Nevertheless, my analysis does not go beyond:

  • I do not comment on the existence of an Adblocker detector that goes beyond what is technically necessary (eg transmission to the server of truly personal data, storage of information in a cookie, etc.)
  • I do not know if another text (for example, in consumer law or competition law) would not make conventional Adblockers detectors illegal.

Chapter 5. [Update] The interpretation of the European Commission?

Section 5.1. The letter from the Commission

After the first publication of my article, Alexander Hanff published on Twitter an excerpt of an opinion of the European Commission that I reproduce here.

Page 1 of the European Commission's opinion on Ad-Blockers detectors

Page 1 of the European Commission's opinion on Ad-Blockers detectors

Page 2 of the European Commission's opinion on Ad-Blockers detectors

Page 2 of the European Commission's opinion on Ad-Blockers detectors

In essence, the drafter of the notice states that Adblockers' detectors must collect the user's consent under section 5 (3) of the Directive 2002/58 / EC. The reason for this is the fact that the scripts would be saved in the browser and the letter of Article 5 (3) covers "any information"Which would be stored.

So to put it simply, the European Commission does not seem to agree with me ...

Section 5.2. My analysis

But let us explain why I maintain my position.

Indeed, if we were to accept the interpretation of the Commission or Alexander Hanff, the user's consent should be collected as soon as he displays a simple Web page: indeed, each page is also stored (temporarily) in the browser for display.

But that would not be very practical.

I was then told that the user had already given his implicit consent since he wanted the display of this web page. This is true…

However, the Adblocker detector script is an integral part of the web page itself: would the user have given only partial consent: "I want the web page but not the JavaScript scripts"?

As soon as a script exists in a page, should it be an agreement of the additional user (reminder, each web page contains dozens and dozens of scripts to operate the drop-down menus, to make animations, etc.)?

We understand that it would not be viable ...

Would it then be a user agreement when the page contains a script that the user "will not"(Ie in this case the famous detector)?

We touch there then a philosophical debate and not technical or legal: a a priori on the wish of the user ...

(By the way, now that you point this out to me, does the user want the left column of the webpage to be displayed ... because maybe not, I'm going to ask him for his consent ... ).

I do not think that this interpretation can lead to a reasonable solution.

For simplicity :

  • Article 5 (3) of the Directive 2002/58 / EC must be interpreted strictly and a user's consent must be required for all content which is transmitted (because stored temporarily) from the server (arg ... ).
  • Article 5 (3) of the Directive 2002/58 / EC must be interpreted in order to correspond to the recitals of this Directive (and in particular its recital (24) which corresponds to the protection of privacy) and only the uses of "plotting"Transmitting personal data to a third party must be framed.

I let you make your own opinion!

6 Comments:

  1. Personally, I am against these adblockers detectors. We are in our right not to want to see advertisements all the time when we go on any site. So what's the use of knowing who does not want their advertising? I find that it is a violation of the freedom of action of the user who has the right to want to see or not advertisements.

    • Hello,

      I do not say the opposite: I am simply talking about law. "Is there a legal basis that makes ad-blockers illegal?" That's it ...

      I hear the principle of freedom, but we must not forget the right of content publishers to provide content containing advertisements: today this is not prohibited. How can they be banned from checking for adblocker?

  2. Pingback:Anti-adblocks: the European Commission puts its 'Banners Pub'

  3. All this beautiful demonstration falls in the water when we take the example of the site lemonde.fr which uses a solution based on cookies for anti adblock.

  4. and a public person like the CNIL can legally recommend the use of a "free" software of a private person?

Leave a Reply

Your e-mail address will not be published. Required fields are marked *