EU ePrivacy and __cfruid cookie

I had seen a previous article about the __cfruid cookie being designed to prevent DDoS attacks and to ensure load balancing: What does __cfRuid cookie do?

The approach from Cloudflare was to install a __cfruid cookie on every users computer without consent saying that this cookie was strictly necessary for the operation of the service.

New ePrivacy regulation from the EU in Feb 2021 expands the requirement of consent to all cookies including those that are labeled as strictly necessary. See the links in this article EU’s ePrivacy Regulation & cookies | ePrivacy Regulation 2021 Updates

How is Cloudflare planning to meet the requirements of the EU’s ePrivacy regulation to not install any cookies prior to user consent?

We are frustrated that all sites in Hubspot cannot meet EU ePrivacy requirements because of a decision made by Cloudflare to install user cookies without user consent.

Is this a legal opinion of the new legislation? Or, do you have a link to a draft or proposed version of this legislation (none of your links seem to actually include such)? The semantics matter a ton when determining this.

Thanks for asking, this was the legal opinion of our lawyer who specializes in GDPR. I’ve also seen a similar opinion from CMS Law

You can see the full text at https://data.consilium.europa.eu/doc/document/ST-6087-2021-INIT/en/pdf

In particular, look at Article 8.1(g) which requires clear notice of how cookies like __cfruid will be used (this is not provided) and look at the requirements from Article 8.1(h) which I’ve added below

Such further processing in accordance with paragraph 1 (g), if considered
compatible, may only take place, provided that:

  • (i) the information is erased or made anonymous as soon as it is no longer needed to fulfill the purpose,
  • (ii) the processing is limited to information that is pseudonymised, and
  • (iii) the information is not used to determine the nature or characteristics of an end-user or to build a profile of an end-user.

Under ePrivacy Feb 2021 notice in plain language is required to explain exactly what data is stored on the terminal device, what processing takes place, and when the information will be erased. Typically this is done through a cookie consent dialog that refers to a cookie policy and a privacy policy.

This means installing __cfruid prior to notifying the user about it’s purpose, processing, and data retention policy would be a violation of EU ePrivacy Articles 8.1(g) and (h).

Does that clarify the semantics for Cloudflare?

It sure doesn’t look like that regulation has taken effect. Everything I see calls it a “Draft”. And there’s this:

With the approval last February 10, 2021, the Council of the European Union was given the mandate to start negotiations with the European Parliament, with which the terms of the final text will be discussed. The ePrivacy Regulation will enter into force 20 days after publication in the Official Journal of the EU and will begin to apply two years later.

From ePrivacy Regulation - Text approved by the Council of the European Union

1 Like

We could argue that it takes time for EU ePrivacy regulation, however it doesn’t stop EU countries from approving legislation based on ePrivacy and putting it into effect now.

For example, the German government approved Section 8 of the ePrivacy rules on May 28, 2021 and it comes into effect Dec 1, 2021. This means that any sites using the Cloudflare CDN in Germany will be in violation of TTDSG.

TTDSG (Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia) will become relevant at the federal level for the setting of cookies. The TTDSG received the approval of the Bundesrat on 28 May 2021 and will enter into force on 1 December 2021. For the storage of information on a user’s terminal device, i.e. the use of cookies and similar storage methods, such as local storage, the TTDSG requires the user’s prior consent based on clear and comprehensive information. The requirements for this information and consent are based on the GDPR.

I’m not going to argue. That’s what lawyers get paid for. And in this case, it’s up to Cloudflare’s legal team to deal with stuff like this.

You should probably ask them, or have your lawyer ask their lawyer. You’re not going to get legal advice in the Community. At least none you should pay attention to, as it’s worth exactly what you paid for it.

1 Like

As mentioned previously I had already asked our lawyer about this, I contacted Hubspot and they told me that it’s their CDN and that I need to come to the community. That’s why I created an account and started this thread.

If you’d like to provide the legal contact for Cloudflare I’m happy to connect with them as suggested.

Can you help me understand the resistance to removing the __cfruid cookie?

If Cloudflare wanted to meet the requirements of TTDSG by Dec 1, 2021 how might it achieve the same goals accomplished with __cfruid without the need to install a cookie before user consent?

A reminder that nobody that’s replied here so far is a Cloudflare employee.

For technical reasons, I can’t say for certain, but it would be a good guess that they want rate limiting to be applied per-machine basis instead of per-ip-address, as otherwise too many people on one NAT’d network, such as an office network, might trip a rate limit rule when many people are using the site at once. The only real way to fix this is to apply a unique ID [cookie] to each browser or use IPv6 addresses which are assigned on a per-machine basis (unless the network admin is crazy and does ipv6 nat).

I’m not sure there’s any resistance, just that it hasn’t been talked about yet. CF has already removed the _cfduid cookie, so I’m sure they’re open to considering removing this cookie after discussions.

It might be most useful if you ask Hubspot to discuss this cookie on their customers’ behalf, as I assume they’re an Enterprise customer with many EU customers themselves and have a direct line to beginning internal discussions within CF about this cookie. Otherwise, there is a [email protected] email if you want to try that.

3 Likes

I’ve emailed legal and Hubspot as suggested.

I can see how a really large corporate NAT could look like a DDoS on IPv4 and how IPv6 could answer where the many requests come from.

There are techniques like Canvas fingerprinting that allow you to isolate browsers on IPv4 without installing a cookie. Canvas Fingerprinting - BrowserLeaks

The browser can block these requests just like it can block the storage of a __cfruid cookie. The main difference is that one doesn’t need to store a cookie on the end user device.

Fingerprinting something like that carries multiple problems such as dealing with devices with the same fingerprint.
For example, part of Apple privacy terms, they make all devices seem identical towards fingerprints (which makes it a major hassle for bot protection providers as bots simply attempt to spoof their device to look like an IPhone).

That’s a great link on Fingerprinting. And for those who want to see it in action:
https://amiunique.org/

2 Likes

(I am not a lawyer)

Cloudflare is not under any obligation or requirement in any jurisdiction to notify or obtain consent to set cookies on any websites except those they operate themselves. If a Cloudflare customer enables a feature that currently requires a cookie to operate, then the obligation is on the Customer.

I suspect that in most cases a Cloudflare customer will define Cloudflare cookies as Strictly Necessary, and consent would not be required, but notification is generally recommended if not mandated.

Almost if not all CF cookies are optional, and the customer can choose to disable the feature if they don’t want to use that feature.

2 Likes

This is a pretty broad statement and as you mentioned you are not a lawyer and as I had previously mentioned there is an obligation under EU ePrivacy Section 8 which is implemented as law in Germany.

That’s a good strategy on the part of Apple but it’s only one of many approaches to uniquely identifying a user without cookies. Another is ETags where a unique invisible image is sent to each browser and caching the image. Then you would either see two types of behaviour that would indicate a DDoS.

  1. A rapid sequence of sequential new ETag requests
  2. The same ETag making many requests over and over again.

More details

Would any of the suggestions listed above work?

The ETag seems interesting and could work, at first glance, it could replace a cookie, however, the amount of engineering required to do it seems beyond any reasonable motive unless explicitly forced by law.

The other 4 techniques are commonly used to detect bots in current enterprise bot protections.

I think the statement is justified as customers’ websites are the ones that request Cloudflare place the cookie there (by using the rate-limiting feature before a user consents to be tracked). It’d be like if you used Google Analytics and would fail due to the _ga cookie - if Google doesn’t have an option to disable this cookie, your only option to comply with a “0 cookies” hard requirement would be to stop using Google Analytics - or in this case, Cloudflare rate limiting. In the end, the company in control of the end-user-facing website is responsible for only using technologies that comply with laws in countries that you expect to conduct business in, and part of that might be pushing for your vendors (in this case, Hubspot and/or Cloudflare) to use less tracking technologies, as you’ve rightfully done here.

1 Like

You missed my point, in the second half of the sentence. The obligation is generally on the operator of the website or other information service, not on their suppliers. Most service providers contracts make it clear who is responsible for what elements of data processing.

If I use Google Analytics, is it Google’s obligation to obtain consent from my users?

The regulations generally use wording like:

the storage of a cookie or similar identifier

the use of processing and storage capabilities and the collection of information from end-user’s terminal equipment

Using Etags, last modified dates, super-cookies, or other technologies to set and retrieve data from a users device does not circumvent the regulations.

4 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.