Tag Archives: CNIL

When the State sells your personal data…

…it is with the Privacy Authority blessing!

This case is typical of the current French system, but this may echo some concerns elsewhere, so I have made a summary of an original post in French, so as to trigger discussion…

Basically all French politicians are claiming they want to fight the Privacy breaches, especially when North-American internet companies are involved. Still, the findings are clear: the French State and its state-owned companies are doing exactly the same!

First, the rule: any form collecting any of your (personal) data is to offer to the users the ability to give or refuse consent, regarding any further use of their data. In France, this is clearly stated in a law, passed as early as 1978 (named “Data Processing and Freedom”, a full concept in itself…).

There are two possible questions (“opt-in” or agree, and “opt-out” or disagree) and two ways of offering the answer (“active” and “passive”); this implies four different ways of collecting any consent (see table below), and of course generates confusion.


The “passive” response mode is neither common, nor recommended in France (even if it is not forbidden, as far as I may know), but it is more often found on US websites. In this case, the check-box is already ticked, and the user’s answer is registered by default. To register another choice, one has to un-tick the check-box. Clearly this option may only be used online.

For paper forms, one may focus on the “active” mode, when a check-box has to be ticked. The two remaining options are:

  1. Active opt-in = the user agrees, by ticking one or several check-boxes, that his/her personal date may be stored, reused, transferred, sold to third parties. This is the most respectful mode for the user, as only active opt-in guarantees that the user has chosen to give away his/her data. But this is not the norm…
  2. active opt-out = the use disagrees that his/her personal data are used, still by ticking a check-box. This mode is the most commonly used in France, and the Privacy Authority (CNIL) implicitly endorses this behavior. On its website, namely in the Q&A section of their website (only available in French), the CNIL mentions that the user may “oppose” to personal data transfer to third-parties or “refuse” that such data be used for commercial purposes. they endorse the opt-out mode.

Of course, many user just forget to tick check-boxes (or worse, do not find them), and hence are included by default on files sold to third-parties, namely for business purposes. This may be understandable for private companies, but when it comes to the Government or to State-owned companies, this is more disputable!

I have covered two examples in the original French version of this post, taken from recent experiences, that I believe may not be of interest for non-French speaking people. My comments are backed up by solid material.

Hence, the French State collects – and resells – personal data from its citizens, while Google, Amazon or Facebook are blamed for doing the same… You mean “contradiction”? I say “opportunism”.

For a true personal data protection, one has to develop alternative targeting tools! “Fingerprinting” or “unique identifier”, are mentioned, but there also is a non-intrusive option, based on the user’s online behavior. I am working on it… Willing to know more? Stay tuned and come back next week on this blog!

[This post is a summary of a longer original version written in the French-speaking section of DataElicitation.com; the original version in French namely includes pics and explanations of two opt-out examples]

Data Privacy, between a rock and a hard place

How are we to handle Data Privacy? Through goodwill, as original free internet promoters would like to? Or through coercive regulation measures, as government bodies are prone to? This definitely is no easy dilemma…

The Marketing Mobile Association in France has been willing to put the question on the table, last Wednesday (Feb 12th), on the very same day when the US were having the so-called “safer internet day”. The meeting venue was more on the goodwill side, as the event has been hosted by the Mozilla Foundation in their Paris office. A nice place, by the way, see for yourself…

Mozilla Meeting Room

The discussion panel was more balanced, with Etienne Drouard attorney at K&L Gates, specialized in Privacy matters, and Geoffrey Delcroix, CNIL Innovation Director (CNIL being the French Internet Regulatory Body), as well as Hervé Le Jouan, CEO of Privowny, and Tristan Nitot, Principal Evangelist Mozilla Europe (a brilliant coffee brewer as well…), the whole thing being moderated by Bruno Perrin, Media & Entertainment Leader at EY.

Between tools to manage oneself’s privacy (see my own selection at the bottom of this post) and various comments to the Privacy Laws, the main impression that remains from this panel discussion is that handling Data Privacy is like walking on a tight rope…

Two opposite views are currently cleaving the internet:

  • On one side, the “libertarian” internet promoters, with their concepts based on freedom as wide as possible (net neutrality, open data, open source, etc…), whose view of privacy is linked to each person individual right to protect one’s privacy. A global “do-not-track” by default would certainly please them, especially if companies are to respect it forcefully…
  • On another side, at the opposite of the scope, we have the state bodies, willing to set more control on the internet, as this is something that they do not only misunderstand, but also fear; in this respect, they wish to instate regulations, privacy by design, control over content, etc…

And, in the middle, the so-called “new economy”, all these companies and people trying to make a sensible use of the internet… Not easy, mmh? What I understood very clearly from the panel discussion is that none of the extreme behaviors depicted above would give internet a chance. Setting “do-not-track” by default would simply lead companies to ignore it, and hence kill the idea. And on the other side, regulating the market by law would technically make it die, in the end. Hence, the tight rope strategy is the only one that remains, with a difficult balance between market freedom and people’s protection, between business and privacy…

So what are we left with? We can try to manage our own privacy, and ensure it does not go beyond the borders we have set. Nobody lives in a cave with no contact to the outside any more (as this would probably be the only way to fully protect one’s privacy…). But nobody wants to live constantly under the eyes of watchers, as in a personal Truman Show, especially when your information is wanted for their business… We may go on using internet, conscious that we are watched, but managing this, and knowingly give our consent wherever we believe it makes sense, blocking all other non-sollicited requests…

There are many tools to do so. Probably too many. I personally use five.

  1. An ad-blocker: this is not a must have, but it may be useful , especially to speed up your browsing. I use AdBlock, a Chrome extension. The disadvantage of this, is that most ad-blockers do not offset the changes in the layout of the website, making it sometimes barely readable (as for instance my favorite sport page, Sport24). And do not forget that most sites earn their money thanks to the ads… So I disable it now and then, especially when visiting sites with less audience.
  2. A user/password manager: this is highly interesting, to ensure you know what and where you have been logging in, and ensure nobody is using some of your identities without you knowing it. I am using the Privowny tool bar, a very useful add-on.
  3. An identity verifier: this is for Twitter in particular. To avoid being followed (and spammed) by robots and fake followers, I am using TrueTwit, a simple (and not so expensive) tool to filter and verify any Twitter user. I have less followers now, but only real people…
  4. A do-not-track option: I also use, now and then, the do-not-track feature in my browser (Chrome). This I do especially when shopping or banking online, so as to minimize the amount of cookies shared by these companies that also own very personal information of mine. I know, this is more a wishful thinking, but at least shows that I am not ready to let everything leak.
  5. A graphical cookie tracer: I have uploaded CookieViz from the CNIL website, a free software to visualize your browsing, and the cookies that have been shared with third parties. At least, when you browse websites, including your favorite ones, you know what you are at… Below a short description of this tool (currently only available for Windows OS, soon to come for Mac and Unix).

CookieViz example

The picture shows a session for 7 browsed sites (9 views total). The 7 websites are “circled” with red pentagons. Up right is Sport24 (link provided above), below e-commerce website CDiscount.fr and information website LeMonde.fr.

At the bottom, from right to left, a gaming website BigPoint.com, my About.me profile and this blog’s dashboard page. In the middle, Avinash Kaushik’s blog (Occam’s Razor), showing that even the blog of a respected digital evangelist like Avinash may share third-party cookies…

The graph is, I believe, self-explanatory; the visited websites (red pentagons) are generating cookies (all blue round spots), which are kept for first-party usage (blue links) or shared with third-party (red links). To be clear, I have disabled the AdBlock to generate this graph, so as to prevent partial representation.

This tool is highly interesting in my eyes. It does not block anything, but shows you everything. At least, the user knows what happens when he/she visits a website, and may decide to go on browsing, or choose alternatives websites with a better sharing policy, especially regarding third-party cookies.

A better informed customer always makes better choices.