Cookies and Intranets

The Information Commissioner’s latest guidance on cookies contains some good news for anyone trying to work out how to make a host of internal websites compliant:

How do these rules apply to intranets?

In our view the rules do not apply in the same way to intranets.

(Note however that if Intranet cookies represent personal data then their use does still need to comply with the Data Protection Act 1998).

It therefore seems reasonable to ask what counts as an Intranet. The ICO’s legal argument seems to be that the cookie regulations only apply when the cookie crosses a public electronic communications service, and where the website and its users are on the same private network that doesn’t happen. In the original sense of the word, an Intranet server was only accessible from computers within the physical premises of the organisation it served (hence Intra-, as opposed to Inter- and later Extra- nets), so provided that organisation’s local area network wasn't accessible to the public (the definition of a public electronic communications service) then, indeed, there was no public network involved. Nowadays it’s relatively common for things like finance systems, confidential filestore, etc. to also be accessible to staff working remotely but using Virtual Private Network (VPN) technologies to create an extension of the private local area network to a remote office or wherever else they may be working. It seems to me that it’s not too big a stretch to argue that that VPN is still a private electronic communications service (even if it may be carried on an underlying public communications network), so using a VPN shouldn’t bring the internal servers into the scope of the cookie requirements.

However I suspect that just requiring a username and password on a website that’s accessible directly from the Internet isn’t enough to make it an Intranet server. Cookies set by that server are still carried on the public communications network, so the cookie regulations would seem to apply. So webmail services, virtual learning environments, etc. do need to be made compliant if they are accessible over the Internet. However there are a couple of mitigating factors that may make compliance a bit easier. First, the Information Commissioner also points out that both the point where accounts are issued and the login page where credentials are entered provide opportunities to inform users about the cookies that are required to provide the service and (if necessary) to obtain their consent:

Where users open an online account or sign in to use the services you offer, they will be giving their consent to allow you to operate the account and offer the service. There is no reason why consent for the cookies cannot be gained in the same way. (Page 17)

Second, services such as webmail and VLEs already process a lot of personal data about their users, so you should already be informing users about that under the Data Protection Act 1998. Adding first-party cookies to such a server seems to add relatively little to the privacy risk that already exists (if you want to invade the user’s privacy you already have lots of opportunities to do so!). Since the ICO has said that cookies should be prioritised according to the privacy risk they represent, perhaps these cookies aren’t the most urgent to deal with?

PS For any technically-minded readers: yes, I do know that webmail etc. servers use SSL, which looks quite like a VPN. However if you want to split that particular hair, I’ll reply that when I use a VPN I can only send packets over it and the internal network: when I use an SSL-protected website I can also simultaneously send packets to other locations directly over the public Internet. So I claim there is a technology difference that supports the legal difference I'm proposing.