Privacy Advocate Challenges YouTube's Ad Blocking Detection Scripts Under EU Law

Interview Last week, privacy advocate (and very occasional Reg columnist) Alexander Hanff filed a complaint with the Irish Data Protection Commission (DPC) decrying YouTube's deployment of JavaScript code to detect the use of ad blocking extensions by website visitors.

On October 16, according to the Internet Archives' Wayback Machine, Google published a support page declaring that "When you block YouTube ads, you violate YouTube's Terms of Service."

"If you use ad blockers," it continues, "we'll ask you to allow ads on YouTube or sign up for YouTube Premium. If you continue to use ad blockers, we may block your video playback."

YouTube's Terms of Service do not explicitly disallow ad blocking extensions, which remain legal in the US [PDF], in Germany, and elsewhere. But the language says users may not "circumvent, disable, fraudulently engage with, or otherwise interfere with any part of the Service" – which probably includes the ads.

Image of 'Ad blockers are not allowed' popup – Click to enlarge

YouTube's open hostility to ad blockers coincides with the recent trial deployment of a popup notice presented to web users who visit the site with an ad-blocking extension in their browser – messaging tested on a limited audience at least as far back as May.

In order to present that popup YouTube needs to run a script, changed at least twice a day, to detect blocking efforts. And that script, Hanff believes, violates the EU's ePrivacy Directive – because YouTube did not first ask for explicit consent to conduct such browser interrogation.

Fitting a pattern?

Such non-consensual technical interaction has been a concern of Hanff's for at least the past seven years.

"In early 2016 I wrote to the European Commission requesting a formal legal clarification over the application of Article 5(3) of the ePrivacy Directive (2002/58/EC) and whether or not consent would be required for all access to or storage of information on an end user's device which was not strictly necessary," Hanff told The Register.

"Specifically whether the deployment of scripts or other technologies to detect an ad blocker would require consent (as it is not strictly necessary for the provision of the requested service and is purely for the interests of the publisher). The European Commission sent me a formal written response agreeing with my position that such activities would require consent."

At the time, he added, he visited the Irish DPC in Dublin and EU data authorities in other countries to discuss The European Commission's response. Now that YouTube has deployed ad blocking detection, Hanff has asked the Irish DPC to take action.

"In a call I had with the Irish DPC at the end of last week (after filing my complaint against YouTube), they did not disagree with my analysis and agreed to reach out to YouTube (Alphabet)," Hanff said. "I have since received another update that they have reached out to YouTube on Monday and will update me at the end of the week with any further information."

A spokesperson for the Irish DPC told The Register that Hanff's complaint had been received, but declined to comment further while it is being evaluated.

screenshot of Hanff's complaint form – Click to enlarge

Asked how he hopes the Irish DPC will respond, Hanff replied via email, "I would expect the DPC to investigate and issue an enforcement notice to YouTube requiring them to cease and desist these activities without first obtaining consent (as per [Europe's General Data Protection Regulation (GDPR)] standard) for the deployment of their spyware detection scripts; and further to order YouTube to unban any accounts which have been banned as a result of these detections and to delete any personal data processed unlawfully (see Article 5(1) of GDPR) since they first started to deploy their spyware detection scripts."

Hanff's use of strikethrough formatting to acknowledges the legal difficulty of using the term "spyware" to refer to YouTube's ad block detection code. The security industry's standard defamation defense terminology for such stuff is PUPs, or potentially unwanted programs.

Hanff, who reports having a Masters in Law focused on data and privacy protection, added that the ePrivacy Directive is lex specialis to GPDR. That means where laws overlap, the specific one takes precedence over the more general one. Thus, he argues, personal data collected without consent is unlawful under Article 5(1) of GDPR and cannot be lawfully processed for any purpose.

With regard to YouTube's assertion that using an ad blocker violates the site's Terms of Service, Hanff argued, "Any terms and conditions which restrict the legal rights and freedoms of an EU citizen (and the point of Article 5(3) of the ePrivacy Directive is specifically to protect the fundamental right to Privacy under Article 7 of the Charter of Fundamental Rights of the European Union) are void under EU law."

Therefore, in essence, "Any such terms which restrict the rights of EU persons to limit access to their terminal equipment would, as a result, be void and unenforceable," he added.

Not just cookies it seems

Hanff's contention that ad-blocker detection without consent is unlawful in the EU was challenged back in 2016 by the maker of a detection tool called BlockAdblock. The software maker's argument is that JavaScript code is not stored in the way considered in Article 5(3), which the firm suggests was intended for cookies.

Hanff disagrees, and maintains that "The Commission and the legislators have been very clear that any access to a user's terminal equipment which is not strictly necessary for the provision of a requested service, requires consent.

"This is also bound by CJEU Case C-673/17 (Planet49) from October 2019 which *all* Member States are legally obligated to comply with, under the [Treaty on the Functioning of the European Union] – there is no room for deviation on this issue," he elaborated.

"If a script or other digital technology is strictly necessary (technically required to deliver the requested service) then it is exempt from the consent requirements and as such would pose no issue to publishers engaging in legitimate activities which respect fundamental rights under the Charter.

"It is long past time that companies meet their legal obligations for their online services," insisted Hanff. "This has been law since 2002 and was further clarified in 2009, 2012, and again in 2019 – enough is enough."

Google did not respond to a request for comment. ®