in News by Ramsés Gallego. Permalink.
You've entered the world of geo-location; but do you realise what that means for business? How are the European Commission’s new cookie rules changing the web security landscape?
Regardless of whether you are a Web designer, IT administrator or not-so-humble end user of the world wide web, the chances are that the new European Commission’s rules on cookies – which became law in late May of this year - will have changed your outlook on the Internet.
The new cookie privacy rules are the result of revisions to the EU Privacy and Electronic Communications Directive (2002), which was revised by the Citizen's Rights Directive (2009) and implemented in the UK through the Privacy and Electronic Communications Regulations (2011).
Under the new rules, the use of cookies – little bits of data stored on your computer to identify you to websites you visit - are now only allowed if the user has given "informed consent,” meaning that websites must give visitors clear and comprehensive information about the purposes for which the cookie is stored and accessed.
There are some exceptions to the legislation, but they are very few and far between.
This is a substantial change from the previous regime under which cookies were dropped onto a user’s computer, unless the user had specifically `opted out’ for the site concerned.
The law change – which has been overseen in the UK by the Information Commissioner’s Office - has been implemented to provide greater privacy for Internet users, and controls what data a website administrator can drop onto a visitor's computer.
Although the new legislation is still in its early days of deployment – and the ICO has not yet begun `discussions’ with any sites for failing to abide by the new rules – my observations are that implementing the directive has not been an easy task for most IT professionals, whilst few Internet users – except those within the IT function – are fully aware of the new requirements and what they mean.
The UK's ICO has issued some helpful guidance notes centering on the need for sites to perform a cookie audit, a user-impact assessment and an action plan. Most automated 'website in a box’ services have also launched an EU cookie facility for their clients.
Welcome to the world of geo-location
Geo-location is a discipline that is firmly on the modern Internet-aware business agenda, as it can bring tremendous marketing rewards to the site concerned, in the form of geo-marketing activities and targeted messages.
It’s worth noting that the new cookie legislation presents a number of risks to portals that use geo-location technology – and many business have discovered that the risks can potentially outweigh the rewards, mainly because their site is now required to interpret a lot of the data on the user `in the clear,’ including location, time and Web-browsing habits.
In view of this, businesses will need to be cautious when embracing mobility and all the features that come with it - as well as including mobile devices within their corporate security strategy and integrating those devices within their business asset management programme.
The issue that is of most concern, we have observed, is that a growing number of mobile devices have corporate information stored on them and are used for enterprise activities.
The new EU cookie directive obliges service providers to explicitly indicate that the browsing session on a given set of Web pages is being tracked/recorded.
As European legislation watchers will be aware, the new rules are clearly in place for the foreseeable future and its implications - and resulting implementations - pose a number of difficulties from both a security and governance perspective.
Many of the ways a business will implement the required advisories, in fact, will involve the use of intrusive messages that advise users about the site’s privacy policy – with many sites preventing easy access to the pages until the user has explicitly accepted the explanation.
ISACA believes that implementing – and continuing to meet the provisions of the EU cookie directive - on a secure and effective basis is the logical way forward, as the data involved is both high-risk and personal.
Sensitive data that could be leaked typically includes information on gender, age and other attributes that could allow your `digital persona’ to fall into the wrong hands, including those of Internet marketers.
This leads us neatly into the privacy aspect of the new legislation – largely as a result of the Internet, most Web users have fewer barriers and fewer secrets than they did just a few years ago.
Many Web users, in fact, think that is now cool to post where we are, what we are doing, with whom, when and even why.
Some 32 per cent of individuals in the US are using location-based services more now than they did 12 months ago, according to an April 2012 survey conducted by ISACA.
Against this backdrop, it is clear that organisations need to address how they are gathering location-based information and what they do with it.
More on how to comply with the directive will be on Real Business tomorrow, in another column by Ramsés Gallego.
Ramsés Gallego is the international vice president of ISACA.