On February 14, 2018, Exodus Privacy was invited by the CNIL (“Commission Nationale de l’Informatique et des Libertés” in French, “National Commission for Computing and Liberties” in English) to its premises to present itself and its activities.
There were many participants on the CNIL side, around 15 people, from different departments. We were initially invited by Geoffrey Delcroix, from LINC (“Laboratoire d’Innovation Numérique de la CNIL” in French, “CNIL Digital Innovation Laboratory” in English).
Were represented in particular:
Several points were discussed, including:
Many questions focused on the operation of the platform, in particular on a possible peer review to validate the operation of εxodus (potentially by INRIA), in particular to eliminate any suspicion of false positives. Completeness (a complete and up-to-date list) of trackers is a much more difficult challenge, as the number of players in the field continues to grow. One of the key points that was clarified was the distinction between on-board “tracker” and active on-board “tracker”, especially since there is no evidence that a tracker inactive at time T is not at T + 1. It is difficult to give a ruling for legal reasons in France (in particular because of decompilation, which is prohibited).
LINC will install an instance of the εxodus platform for its own analyzes and out-of-control investigations.
The CNIL plans to cite εxodus via several channels: from individuals (the CNIL offers a list of recommended tools and good practices for obtaining information, for example CookieViz), from professionals (more precisely by mentioning εxodus in the method of privacy impact assessment (ÉIVP / PIA) supported by the GDPR, and via a mixed but freer channel (an article on the LINC blog).
Exodus Privacy has raised the question of a possible right of reply from publishers on reports published on the εxodus platform. We were told that the strict objectivity of Exodus Privacy reports cannot be the subject of a right of reply and that it is the responsibility of the publisher of the application concerned to report the presence and the use of trackers.
We would once again like to thank the various contacts from the CNIL and LINC who received us.