Privacy online: 65% of websites in Europe do not comply with the EU “Cookie Law”

The advent of the Internet has profoundly changed people's lives. Purchasing products on line, keeping up to date, managing social relationships and organising leisure time are just some of the activities that are carried out through the web. However, the business model that guarantees the free-of-charge nature of much of the content on the Web is based on the collection of user information.

One of the great issues debated when talking about using websites and social networks is therefore to what extent is the privacy of users respected during their online activities. Quantifying this phenomenon - and finding possible solutions to the fraudulent exploitation of online data - is the goal of the research unit consisting of Hassan Metwalley, Stefano Traverso and Marco Mellia from the Department of Electronics and Communications at the Politecnico di Torino.

There are in fact thousands of tracking services (trackers) associated with the most popular and other web portals, whose business is based on the collection and sale of the personal data of users. Theoretically, the information collected should only be sold to advertising agencies to carry out targeted promotional campaigns. Unfortunately, however, cases have emerged in which the data collected by tracking services has been sold to entities of dubious reputation or used to damage the user himself.

In an attempt to govern the tracking phenomenon on the Web, in 2002 the European Union introduced the “ePrivacy” Directive. This directive, which became operational in 2013, envisages that every website must request the consent of its users to use tracking technologies, such as cookies; for this reason, the directive has been nicknamed the “Cookie Law”. Consent is usually requested using a panel in the homepage of the website.

Metwalley and his colleagues have implemented the first large-scale study to understand, four years after its application, whether the ePrivacy Directive is actually being respected and whether, therefore, it has achieved its objectives. The results obtained are stunning: 65% of websites do not comply with the directive, using tracking techniques (such as profiling cookies) before the user provides his consent. The percentage exceeds 90% for some categories of websites, such as News and Entertainment. In essence, it was demonstrated that the directive has failed to meet its objectives, not being able to govern a phenomenon, web tracking, which has taken on increasingly worrying dimensions over the years.

This research stems form the several years of experience of the research group on the issue of online privacy. This activity has led to the creation of a spin-off of the Politecnico di Torino called Ermes Cyber Security, which, thanks to Machine Learning-based patented algorithms, offers advanced anti-tracking solutions for the business world.

The spin-off's activities focus on the protection of the business world from cyber attacks caused by exploiting the information that companies are constantly sending to web tracking services.