Ecommerce, Website & Web Applications developers

On a mission in East Africa

Escrivo Internet Consulting — Tue, 14 May 2013 11:46:00 GMT

Escrivo Managing Director, Cameron Leask, has recently returned from a 10-day business trip in East Africa, running workshops with around 30 transportation industry leaders.

The project, which is being led by business partners Upper Quartile, is evaluating the feasibility of using technology to improve market information, reduce costs and increase competition in East Africa’s vital transportation industry. Cameron ran an intensive programme of requirements capture workshops in Kenya, Rwanda, Burundi and Uganda, with colleagues running similar workshops in Kenya, Tanzania and South Sudan.

"It’s been the business trip of a lifetime." said Cameron "It’s been fascinating to identify the dynamics affecting the transportation industry in East Africa, and to be able to hear about, and see first-hand, the issues that shippers and transporters in the region face daily. From the ports on the eastern coast to the land-locked countries in the west of the region, it was clear that the smooth operation of the transportation industry plays a fundamental role in the economic development of the region."

"Much of my time was spent identifying the technology trends and issues that are affecting the transportation industry in East Africa, to ensure that we can put the feedback we received from our workshops into context. We’ll be spending the next few weeks documenting our results and preparing to complete the study by the end of June.”

It wasn’t all work though. Facebook revealed that he was able to sample a number of local beers around the region and even had time to enjoy a few hours with colleagues on safari in Nairobi National Park. :-)

For more information please contact Cameron Leask.

Helping SQA students to B-Ready

Escrivo Internet Consulting — Thu, 11 Apr 2013 13:10:00 GMT

In conjunction with our clients Bright Red Publishing, Escrivo has recently released a mobile application to help SQA students study for their exams.

Award-winning Bright Red approached us with a request to help them produce an app to help students study more effectively while at the same time drawing attention to their range of revision guides and past papers. The result was an Android app which was delivered within a short timescale and within a very tight development budget.

The B-Ready app delivers revision tips for a range of subjects and study levels. Students can select the subjects they are interested in and receive notifications when a new tip is available. Tips can be favourite and saved for subsequent use.

Behind the scenes content is hosted in the Cloud to ensure that when thousands of students access tips, content can be downloaded quickly, and an interesting nuance of the notifications system is that we had to take care to ensure that notifications would not be delivered while students are in school classrooms.

Managing Director of Escrivo, Cameron Leask, said: “we’re really pleased to have been involved with this project because we’ve been able to help thousands of SQA exam students across the country as they revise for their exams.

The app can be found on Google Play and currently requires Android version 2.3.3 or later.

ICO moves to implied consent model for cookies

Escrivo Internet Consulting — Fri, 01 Feb 2013 13:47:13 GMT

The ICO website has moved from requesting explicit consent for cookies to an implied consent model. What's changed?

Starting today (1 February 2013), the ICO website has moved to an "implied consent" model for cookie usage.

Previously the Information Commissioner's website had employed an explicit consent model; this meant that there was a box to be ticked to agree to the ICO's use of Cookies. The change means that the ICO now assumes (or rather, implies from your use of the website) that you accept their use of cookies.

This is a marked change from the previous approach taken and many have seen this as a signal that the "Cookie Laws" are no longer relevant.

We disagree with that assessment: the law is still in place and the ICO's guidance is unchanged:

Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies.
If you are relying on implied consent you need to be satisfied that your users understand that their actions will result in cookies being set. Without this understanding you do not have their informed consent.
You should not rely on the fact that users might have read a privacy policy that is perhaps hard to find or difficult to understand.
In some circumstances, for example where you are collecting sensitive personal data such as health information, you might feel that explicit consent is more appropriate.

We continue to recommend that a comprehensive Cookie Audit is still the basis for rationalising cookie usage and any cookie disclosures which need to be made.

However we have also followed the ICO's example and moved our own website to an implied consent model for cookie usage. Our website contains detailed information about our cookie usage and visitors are directed to this from links currently shown in both header and footer of every web page.

Our Cookie Audit & Compliance services are available to organisations seeking to review and control cookie usage.

For more information please contact us.

Considering Nominet's proposals for direct.uk domains

Escrivo Internet Consulting — Thu, 29 Nov 2012 12:09:00 GMT

Nominet is currently consulting on a proposal to release "direct.uk" domains - i.e. website.uk rather than website.co.uk - domains. These would be a new Top-Level Domain (TLD) space, .co.uk domains would continue to be valid and usable.

The key features of Nominet's proposal are

a new .uk domain space
mandatory use of DNSSEC as a digital signature to prevent domain hijacking
registrant verification
malware monitoring

Escrivo attended Nominet's round-table discussion in Glasgow yesterday and we thought it would be interesting to document a few notes made during the session.

The session was attended by a number of developers and Nominet registrars such as ourselves, as well as representatives from some large UK brands, a domain investor, and a number of IP lawyers.

The negatives we discussed

The key issues seem to be around confusion. ".co" domain registrants already suffer from some confusion (users considering the lack of ".uk" at the end of the domain is a typo, and adding ".uk" - ultimately arriving at the wrong website) and there was some concern that the use of ".uk" could create a similar problem in the medium term - users inserting the missing ".co" and arriving at the wrong website. This is perhaps mitigated by the use of search engines as the start of many online journeys.
Many of the larger organisations represented have identified that the cost of brand protection is already substantial; in addition to core domain registrations these organisations commonly need to consider various typo combinations in order to protect themselves and a new .uk TLD would simply add to this burden of protection and registration.
The additional features of the proposed .uk TLD imply that the cost of registrations is likely to be higher than the current .co.uk costs so there was some concern around registration fees as well as the overall administrative cost burden of brand protection.
Various concerns were raised about the proposed approaches to registrant verification, both in terms of achieving and maintaining accuracy throughout the life of the domain registration.
The addition of some form of malware scanning was pretty quickly agreed by the participants as a "step too far".

And on the positive side...

From a "big picture" perspective, there is a strong argument for the availability of .uk domains as ICANN moves the global domain system towards the release of hundreds of new gTLDs such as .bbc, .doctor, .scot, .wales and many more: in this context the .uk TLD makes sense as an alternative side-by-side with the new gTLDs.
The mandatory use of DNSSEC does indeed seem to be a valuable addition, although not all registrars and their nameservers can currently support DNSSEC records, so this might cause some challenges in the medium term. This might slow DNS resolution slightly although improved performance of DNS lookups on .uk (one less lookup than .co.uk) will to some extent balance this.
There is a strong argument that the new .uk domain space would provide an opportunity for UK businesses to acquire "stronger" domain names than they currently have access to. The current cry of "all the good .co.uk names have already been taken" would become less relevant as new equivalents in the .uk space would become available... this does however raise the question of how Nominet might run the release process for registrants that have a claim on the .uk version of a .co.uk that they already have.

Overall

The participants at yesterday's round-table certainly didn't reach a conclusion about the desirability of Nominet's direct.uk proposals. As the session closed, there were a variety of views around the table:

an administrative headache
an opportunity to start again
a devaluation of .co.uk domains
a revenue generation tactic by Nominet
a chance to put UK websites and domains on a par with others around the world
an opportunity to tighten some of the (very open) registration policies that Nominet has supported to date
a rebranding nightmare

One observation made by another registrar was that .uk domains would probably be very attractive to startups but very unattractive to businesses that already have some investment in .co.uk domains. A domain trader mourned the reduction of value in his current .co.uk portfolio but welcomed the new opportunities in the proposed new TLD.

Our view

Currently our view is that the proposal as it stands has several flaws. We do however see value in the release of .uk in the context of the wider domain landscape, and to some extent the release of .uk is probably inevitable in the long term. On this basis it's probably better to do it, get it out of the way, and allow UK businesses to move on.

That said, the devil is in the detail, and we're looking forward to seeing a revised proposal from Nominet once the current consultation process completes. The full details of Nominet's consultation are available here: http://www.nominet.org.uk/go/directuk and you are invited to provide your feedback by 7 January 2013.

Escrivo is a Nominet Member and registrar, and provides corporate domain registration and portfolio management services for over 280 TLDs, including .co.uk.

For more information on the direct.uk consultation process or domain registration and management generally, please contact us by phone on +44 131 225 8199 or complete our contact form.

Online shopping, personalised pricing and cookies

Escrivo Internet Consulting — Mon, 19 Nov 2012 11:52:00 GMT

The Office of Fair Trading (OFT) has launched a call for information on the use of consumer data to modify pricing. The technologies used to implement this personalised pricing include cookies, and care needs to be taken to ensure that adequate disclosures are being made to allow consumers to make a fully informed choice when they consent to the use of cookies.

If you don't know much about personalised pricing then there's a useful BBC Breakfast video interview here which describes the process. Basically:

as a consumer, you visit a site and search for a particular product;
your interest is recorded (and may be shared with other sites);
as you research the market for the product, data builds up showing that you are interested in the product;
the data collected might include details of offers or alternative products you loooked at;
the data is then used to calculate a "personalised price".

The OFT is concerned that websites might now be using this information to inflate prices charged to consumers who are "known" to be specifically interested in the product. (Related news article here.)

This can be made to work in a very similar way to targeted advertising, and you probably won't be surprised to learn that one of the technologies that can be used to implement personalised pricing is the Cookie.

With the regulation of cookie usage by the ICO and other European Data Protection agencies, you might think that consumers would be protected from having their data used in "unexpected" ways like this, but it really depends on how transparent websites are about disclosing their cookie usage - and how much attention consumers pay to the cookies that they accept from the websites they visit.

Moreover - many organisations have been using the ICC Classification for their cookies - it provides four classes of cookie: Strictly Necessary; Performance Cookies; Functionality Cookies; and Targeting/Advertising Cookies. The first three categories of cookie are generally perceived as benign or potentially beneficial to the consumer - but it may be the case that the cookies required for personalised pricing are classified on one of those three categories.

As the OFT's call for information proceeds (deadline for submission is 4 January 2013) we would offer the following advice:

For consumers

Read carefully the cookie policies of the websites you visit, before consenting to their use of cookies.
If you think you've been shown inflated prices as a result of personalised pricing in action then you may wish to make a submission to the OFT's call for information

For retailers (and website operators generally)

The regulation of cookies has, to date, focused attention on cookie audit (identification) and consent solutions.
The OFT's project will now bring the purpose of each cookie into focus, and in particular could call into question the completeness and accuracy of your cookie policy, and any descriptions of specific cookies on your website.
In the short term, you may wish to review the depth of the information you provide in these documents on your website, and consider what (if any) additional information needs to be provided to consumers to give a complete and accurate information about the purposes of your cookies.

Escrivo has a full suite of Cookie Compliance monitoring solutions as well as a range of wider Enterprise Solutions for Cookie Compliance, all designed to help businesses of all sizes comply with the legislation.

For more information please contact us by phone on +44 131 225 8199 or complete our contact form.

For more on Cookie Compliance Click here to contact us for information

The real-world meaning of the Article 29 Working Party Opinion on Cookie Consent Exemption

Escrivo Internet Consulting — Fri, 15 Jun 2012 09:54:00 GMT

We take a look at "real world" meaning of the Opinion on Cookie Consent Exemption - recently published by the EU Article 29 Working Party - for website operators.

The Article 29 Working Party is a group of representatives from the EU's data protection and privacy regulators. While an "Opinion" published by them has no legally-enforceable content, it does present a useful view of the shared opinion of the Working Party and its members.

The Working Party has published Opinion 4/2012 (WP 194) (PDF) on Cookie Consent Exemption, which provides some insight into the "grey areas" of the cookie legislation that are otherwise open to interpretation.

As a reminder, the original legislation (Article 5.3 of Directive 2009/136/EC) provides two criteria for exemption from the need to gain explicit consent:

A - the cookie is used "for the sole purpose of carrying out the transmission of a communication over an electronic communications network".
B - the cookie is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service".

We have provided our interpretation of the Opinion below.

Cameron Leask, Managing Director of Escrivo, said "The Working Party have highlighted some of the areas that are open to interpretation. For the majority of website operators, we think the Opinion provides some pragmatic and helpful direction for their compliance efforts, and sits well with the guidance for UK website operators that has already been published by the ICO. For larger organisations with multiple websites it may also help them simplify some disclosure and consent aspects, in particular around the definition of third-parties."

Continuing, he said "I'm delighted to see that the Opinion mirrors the interpretation of the legislation we've been providing to our Cookie Compliance clients, and the approach we took to achieve compliance on our own website. The critical first step for all website operators remains to perform a comprehensive Cookie Audit to understand how each website uses cookies."

For information on Cookie Audits Click here to contact us for information

Our interpretation of the Opinion

The Opinion provides some examples of scenarios to illustrate the interpretation of the criteria laid out by Article 5.3, three guidelines, and some further definition of "third party".

The guidelines

The guidelines suggested are:

The "strictly necessary" test needs to be examined from the perspective of the user, not the service provider
Cookies used for multiple purposes can only benefit from an exemption to informed consent if each distinct purpose individually meets the requirements for such exemption
The basis for evaluating an exemption from the requirement to informed consent should always be the purpose of the cookie rather than its technical features.

The definition of "Third Party" cookies

The Opinion provides some clarity on the definition of "Third Party" Cookies, preferring to define a Third Party Cookie from the accepted legal definition of a third party ("a cookie set by data controllers that do not operate the website currently visited by the user") rather than the definition of third party normally used by web browser software ("a cookie set by a website other than the website currently visited by the user").

This specific point may have specific implications for organisations operating a portfolio of websites.

Example scenarios where cookies are used and may be exempt from the requirement for informed consent, under Article 5.3

"User Input" cookies - essentially, session cookies used to keep track of the user's inputs during their visit to the website - are likely to be considered as essential to provide the information service, and hence exempt under Criterion B.
Authentication cookies - session cookies used to maintain a login during a browser session are likely to be exempt under Criterion B. Persistent cookies used to implement "remember me" functionality are not exempt in the same way and require some form of consent to be provided.
User centric security cookies - e.g. cookies tracking failed login attempts from the same computer - follow the same approach as Authentication Cookies, provided they relate to services specifically requested by the user
Multimedia player session cookies: - e.g. cookies stored by embedded video players. These cookies are exempt under Criterion B provided that they relate to technical data required to play back the multimedia content. Cookies stored by these technologies for other purposes (e.g. tracking) must be considered separately.
Load-balancing cookies - typically the sole purpose of these cookies is to define one of the communication endpoints in order to carry out communication over the network and these cookies would be exempted under Criterion A.
UI Customisation cookies - e.g. cookies used to store language preferences. These cookies could be exempt under Criterion B if they are session-based (short term). Longer term usage would require consent and provision of additional information, such as a "uses cookies" notification adjacent to the language selector.
Social plugin content-sharing cookies - e.g. cookies used to identify users when they interact with these plugins. The Opinion draws a distinction between users "logged in" to their social network account and those who are "not logged in". For logged in users, who will expect to be able to use these services, such cookies are necessary for the functionality requested by the user and therefore could be exempt under Criterion B. For non-logged-in users, who would not expect to be "connected" with a Social Network service, consent would be required.
Social plugin tracking cookies - e.g. cookies used by the social networks to track visitors (members and non-members) for purposes of behavioural advertising, analytics or market research. The Opinion makes it clear that these cookies cannot be exempt from the requirement for consent; social plugins should not set third-party cookies in pages displayed to non-members.
Third-party advertising - e.g. cookies used to track users as they move between websites for the purposes of targeted or behavioural advertising. The Opinion is clear that the requirement consent extends to all related third party operational cookies used in advertising including those for the purposes of frequency capping, financial logging, affiliation, fraud detection, research and market analysis as none of these purposes relate to functionality explicitly requested by the user.
First-party Analytics - e.g. cookies used for statistical measurement of website traffic. The Opinion is clear that these cookies are not "strictly necessary" for websites to operate and hence are not exempt from the requirement for consent. However the Opinion also observes that their use is not likely to create a privacy risk when they are strictly limited to "aggregated statistcal purposes" and when they are used by websites that provide "clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user-friendly mechanism to opt-out from any data collection and comprehensive anonymisation mechanisms...". The Opinion also distinguishes these from third-party analytics which pose a greater risk to privacy.

For more on Cookie Compliance Click here to contact us for information

Cookie compliance: Training

Escrivo Internet Consulting — Sun, 03 Jun 2012 15:43:00 GMT

The new cookie legislation makes it essential for everyone involved with website management to understand the issues associated with using cookies.

One of the most widely-reported issues associated with the UK's cookie legislation has been the lack of awareness an understanding amongst website operators and website visitors alike. Our training materials are intended to help provide website operators with the skills required to be able to understand and manage cookie usage.

Our training materials can be tailored to your specific requirements, but our core materials have been developed to meet the needs of staff at every level in a website operations team, including:

content editors and contributors
usability and design specialists
back-end programmers
functionality specifiers (line-of-business managers)
sales & marketing, analysts and planners
legal compliance and internal audit

Depending on the size of your team, sessions can be arranged as a half-day or full-day session and we can deliver the materials in-house or off-site as required.

Our sessions cover all aspects of cookies and other data storage artefacts that are covered by the legislation, how they are used, and how to manage their use. At each session we provide our review of current best practices for audit, disclosure, consent, and cookie usage.

Cookie compliance: Continuous monitoring

Escrivo Internet Consulting — Sun, 03 Jun 2012 14:41:00 GMT

Continuous compliance monitoring is an essential part of the compliance management process. Our cookie compliance tools provide a proactive monitoring solution for any website.

Most websites are changed and updated frequently:

Content updates: content is added or updated by the content management teams, adding articles, videos, etc.
Styling and UI changes: third-party sharing tools for social media campaigns, new accessibility features, payment gateways, and other usability features.
Technology platform updates: implementing new CMS platforms, load balancing technologies, new website functionality, or new toolsets from third-party vendors.

Such changes all bring with them the possibility of additional and undisclosed cookies, either as an integral part of each new change, or (as we found in one recent instance) by accidentally breaking a cookie consent solution.

Our Cookie Audit tools can be scheduled to run as frequently as you need them to, so that up-to-date audit information is always available. Our audit reports highlight differences between each audit and we alert you proactively if we find any new cookies that previously didn't exist.

For high-profile websites or those that change frequently, we recommend auditing on a weekly or monthly schedule. For websites with less frequent updates it may be sufficient to audit every 6 or 12 months.

We can provide advice and recommendations regarding frequency as well as guidance on handling compliance breaches when they happen.

Our Continuous cookie compliance monitoring solution also forms part of our Enterprise Cookie Compliance Solutions.

For more information please click the button below or contact us.

Cookie compliance: Enterprise solutions

Escrivo Internet Consulting — Sat, 02 Jun 2012 15:33:00 GMT

We have a range of solutions to help enterprises meet the compliance requirements of the UK's cookie legislation.

With the introduction of the Cookie legislation in May 2012, enterprise-level organisations operating a portfolio of websites now face a number of new compliance issues:

Managing devolved responsibility for websites and content: the use and management of public-facing websites by different teams across the enterprise isn't new. However, the cookie legislation means that devolving responsibility for content management (and possibly also design and development) now brings with it a devolved responsibility for compliance.
Assumed responsibility for third party solutions: third-party online platforms (for example, recruitment solutions, e-procurement systems, and CRM integrations) are presented as part of the organisation's web offering - by using these the organisation is taking responsibility (or at best sharing responsibility with the vendor) for these systems - again, with responsibility devolved to teams throughout the organisation.

The cookie legislation seeks to control the storage of data on visitor's computer: this compliance burden spans technical, marketing, communications and legal disciplines - and its breadth poses a number of compliance issues for larger organisations:

The initial Cookie Audit process - assessing cookie usage across the entire website portfolio to establish a baseline and assist with compliance planning and implementation.
Monitoring - monitoring of "cookie compliance" on an on-going basis - including the need for centralised reporting of overall compliance status, and the need to report issues to devolved content management teams too.
Reporting and disclosure - maintaining accuracy in the disclosures being made by each website by providing technical support to legal, usability and communications teams as they draft and update privacy policies and disclosures.
Training - supporting teams that manage websites with Cookie Training, to help them understand the legal and technical aspects of cookie usage, and strategies for developing and working within the compliance plans.

We have a complete solution package for enterprise clients which encompasses Cookie audit, cookie monitoring, reporting & disclosure and cookie training.

For more information on Cookie Compliance for larger organisations, click here to contact us.

War stories: why the new EU Cookie legislation is helpful

Escrivo Internet Consulting — Thu, 24 May 2012 14:48:00 GMT

We take a look at why the EU Cookie legislation might be a positive thing for website visitors.

There's been a lot of debate about the value of the "Cookie Law" - the EU privacy legislation relating to the use of cookies on websites - and what value it adds to the "online experience" for ordinary website users.

Over the past few months we've been doing a lot of Cookie Audits for organisations large and small, and we thought we'd present some war stories here, so that you can see some of the interesting things that cookies (and other web artefacts) get used for...

Extent of cookie usage: In one case we visited 8 webpages (all contained advertisements), and received over 230+ cookies from more than 60 sources. The majority of these cookies were third-party "trackers" designed to identify and categorise web users as they move between websites.
Stealth tactics #1: we identified an innocent-looking "sharing service" that waits until the 5th page you visit before deploying a series of third-party tracking cookies.
Stealth tactics #2: we identified a tracker service that stored our user ID in a cookie, a Flash LSO, and in JavaScript localstorage. Even after deleting all our cookies, the service was able to recover the unique user ID it had assigned to us from either the Flash LSO or the localstorage. Many web users don't know how to clear out their Flash LSOs and localstorage - making this a particularly cheeky way to track users across multiple websites.
Local privacy issues: we've found several cookies that store personal data in plain-text on the visitor's PC. Common example included postcodes and email addresses from signup forms. The best example was an alcohol-related website with an "age-gate" which asked for the visitor's date of birth. The date was stored in plain text in a cookie.
Third-party content issues: after session cookies and analytics cookies, the most common reason for a website to leave a cookie behind is embedded third-party content like Google Maps or video content from YouTube or Vimeo etc. We also found several situations where the embedded content also included its own third-party content (such as trackers and advertising-related cookies).
Benign cookies: there are lots of instances where cookies are used for simple, reasonable, non-privacy-invasive purposes too. Common examples that we've seen have included storing accessibility settings and location preferences - and cookie consent preferences, of course!
JavaScript is not a prerequisite for cookies: Many cookies are created from within JavaScript code - but not all. This means that even if the visitor has disabled JavaScript in their browser (common amongst particularly privacy-protective visitors), they might still get served http cookies from a web server (or the web page might still contain a Flash object that uses LSO). As a side issue, if JavaScript is disabled then most of the "plug and play" consent solutions will also not work properly.

So... as you can see, cookies can be used for lots of "interesting purposes" - some "darker" than others. We think that, for all its faults, the new legislation will make a lot of the "darker" issues more visible to ordinary website visitors - which has to be a good thing.

Unfortunately, unless you do the diligence of a Cookie Audit then it can be hard to tell which cookies your website will leave behind on a visitor's computer. Even simple websites can be complex in terms of the cookies they use, and it's worth remembering that you can cause quite a lot of cookies to start appearing by embedding third-party content on your web page.

Find out how to complyClick to enquire about Cookie Audits

You can view this link for more help with Cookie Audits.