[jjoergensen]

What would this tracking mean in regards to following the EU ePrivacy directive? My understanding is that session resumption mechanisms could be used to track users by capturing the session ID and associating it with the user's IP address, it should follow that the use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned?

"(24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned. 25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using." Source: (24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned."

Source ePrivacy diretive: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

[lmkg]

The ePrivacy Directive makes a bit of a distinction between data stored on the client, vs network information. Cookies are the former, IP addresses are the latter. From reading the paper, the TLS session ID is stored on the client, and sent to the server. So for the ePD, this is in the same category as cookies, not IP addresses.

The complicating factor is that the TLS session ID has a legitimate purpose, and this tracking is a secondary use of that data. I know what GDPR says about that topic, but I'm less familiar with the ePD. I'm trying to read the law, but it's less approachable than GDPR. I think secondary uses still require strict consent, but I'm not sure.

[g_p]

The UK implementation of ePD is a pretty strict application, only allowing 2 grounds to use a "cookie" (note that means other identifiers like session identifiers, although everyone says cookie.

One grounds is necessity to deliver the packets to you (IP address can be used to route a reply back to you in TCP/IP), and the other grounds is to deliver a feature you explicitly request, and can't be done otherwise (adding an item to your shopping basket, for example).

Neither lets you go beyond functionality, so use of a TLS session identifier to me would be a straightforward breach, if the purpose was anything beyond basic connection setup. At that point, informed, explicit, specific, opt-in consent is required. And contrary to all the illegal cookie walls, you can't require or presume this consent - that isn't consent!