Feedback on our meeting with the CNIL

On February 14, 2018, Exodus Privacy was invited by the CNIL (“Commission Nationale de l’Informatique et des Libertés” in French, “National Commission for Computing and Liberties” in English) to its premises to present itself and its activities.

Were present for Exodus Privacy: U+039b (president), Lovis_IX (secretary) and Maxime Auvy (member of the office). We were accompanied by a member of La Quadrature du Net.

There were many participants on the CNIL side, around 15 people, from different departments. We were initially invited by Geoffrey Delcroix, from LINC (“Laboratoire d’Innovation Numérique de la CNIL” in French, “CNIL Digital Innovation Laboratory” in English).

Were represented in particular:

  • the Compliance Department, which generally establishes the interpretation of the Data Protection Act, and the guidelines to be followed by organizations;
  • the Directorate for the Protection of Rights and Sanctions, and more particularly the Control Department, interested in using the εxodus tool as part of the preparation of its missions;
  • the Technological Expertise Department, with regard to more specifically the internal functioning of the tool.

Several points were discussed, including:

  • the genesis of Exodus Privacy;
  • the operation of the platform;
  • technical obstacles;
  • legal obstacles;
  • the evolution of the platform;
  • the help that the CNIL could give us;
  • the directions for the future…

Many questions focused on the operation of the platform, in particular on a possible peer review to validate the operation of εxodus (potentially by INRIA), in particular to eliminate any suspicion of false positives. Completeness (a complete and up-to-date list) of trackers is a much more difficult challenge, as the number of players in the field continues to grow. One of the key points that was clarified was the distinction between on-board “tracker” and active on-board “tracker”, especially since there is no evidence that a tracker inactive at time T is not at T + 1. It is difficult to give a ruling for legal reasons in France (in particular because of decompilation, which is prohibited).

LINC will install an instance of the εxodus platform for its own analyzes and out-of-control investigations.

The CNIL plans to cite εxodus via several channels: from individuals (the CNIL offers a list of recommended tools and good practices for obtaining information, for example CookieViz), from professionals (more precisely by mentioning εxodus in the method of privacy impact assessment (ÉIVP / PIA) supported by the GDPR, and via a mixed but freer channel (an article on the LINC blog).

Exodus Privacy has raised the question of a possible right of reply from publishers on reports published on the εxodus platform. We were told that the strict objectivity of Exodus Privacy reports cannot be the subject of a right of reply and that it is the responsibility of the publisher of the application concerned to report the presence and the use of trackers.

We would once again like to thank the various contacts from the CNIL and LINC who received us.