SAP Universal ID and GDPR

Disclaimer: I am not a GDPR expert. What I know about GDPR I learned by running my private web site.

My understanding of GDPR compliant is that if your site uses optional cookies, you show a cookie notice and inform the users of your site that cookies are set. Detail in a document what cookies are used, even when you only use technical necessary cookies. As well as making clear which services are accessed and what kind of personal data is processed, why, and where. And make sure to not load data from e.g. Google servers at page load. With this – I confess, limited knowledge background – I accessed SAP’s ID service. I did not came accross some things I thought are mandatory:

• No cookie notice, or a document detailing for what mandatoory cookies are used.
• Loading data from from non-SAP sites.
• Not always providing a link to a data privacy document.

I guess that SAP knows what they are doing and therefore the ID Service and Universal ID are fully compliant. In that case, please, someone leave a comment explaining what I am missing.

SAP ID Service

If you work with SAP it is very likely you either have an S-User or P-User. These are needed to access protected services or to log in to websites and are used to authenticate using SAP’s ID Service. If you access the SAP ID Service you will get a logon form.

The page does not contain:

• cookie notice
• link to data privacy

Normally a public facing page should contain a link to the companies data privacy. For the cookies: maybe the SAP ID Service logon page does not set any cookie? Let’s validate this:

The page sets cookies. A look at the browser shows that two cookies are set: JSESSIONID and XSRF_COOKIE. Assuming these are mandatory cookies and needed to provide basic functionality like a session cookie, these can be set without user consent (although it can be argued if it is not possible to set them only after the user sends the credentials; e.g. setting JSESSIONID after a successful authentication). No optional cookies are set e.g. for tracking. Not showing some cookie notice information is OK, but shouldn’t there be a link to data privacy or cookie statement?

Regarding resource loading, everything is loaded from the same server: accounts.sap.com.

Regarding the missing data pricacy and cookie statement: you might say that the logon page is not intended for direct access and public facing. A user normally first accesses an SAP site like sap.com and for logon are redirected to the ID Service. On the main pages like sap.com you get a cookie notice and privacy policy. But, you can log on to SAP IDS and access your profile. So the direct access is possible. Let’s take a look at the SAP Universal ID scenario.

SAP Universal ID

SAP sent out in October an e-mail informing S/P-Users that you need to upgrade your account to an SAP Universal ID. I do not know how many people received this e-mail, but I guess it was not just me.

The e-mail contains a link to SAP UID registration page.

https://account.sap.com/core/create/landing

It is the same server name account.sap.com as above, just that the SAP UID website is on a separate path. Accessing the link shows the SAP Universal ID landing page.

This time the site contains links to privacy policy. It links to the privacy policy specific to SAP Universal ID, not the one you find on other SAP sites like sap.com. What I did not get again was:

• Cookie notice
• Cookie statement

Therefore the page should not set optional cookies. As with SAP IDS, maybe the cookies set are absolutly necessary, which seems to allow setting them without notice. But shouldn’t there be some information that technical necessary cookies are used? When accessing the SAP UID landing page some data is loaded.

During the page loading, several cookies are set. No cookie notice or banner or consent or statement that inform that cookies are set by the page, nor why they are needed. And: are all those cookies absolutely necessary? These cookies are needed to provide the service of loading a web page? I accessed the file sso.html from cdc-api.account.sap.com without cookies, just with the same request parameters and got the same result.

The site also loads data from other side than sap.com.

Gigya belongs to SAP, but gstatic.com is Google. This is because the site uses ReCaptcha. For the Germans reading this article, you may have heard about a Google Font problem. ReCaptcha is JavaScript and not a font, maybe the “individuelles Unwohlsein” still applies (that’s the German courts contribution to the internet). Seems SAP found a way to load data from Google on page access and still be not affected by the court decision about giving away private data (IP address). If so, I think everyone that runs a web site that loads data from e.g. Google is interested to hear how SAP achieved this. Is it because to be able to use ReCaptcha this is the only way, while for fonts you can host some locally?

On the Universal ID landing page the user is not informed that data from Google is loaded. To get that information it is necessary to start the registration process by clicking on “Get started”.

On the registration form the notice that ReCaptcha is used is shown. This is as demanded by Google.

But isn’t this too late? Shouldn’t this message be included when the ReCaptcha code is loaded? On the Universal ID landing page as the code is loaded already there? I would suspect to either show that message at the landing page, or to only load the ReCaptcha code on the registration form page. Or only include ReCaptcha after the user agreed to use it. Maybe by only loading it after the user clicked on “Get started”.

The cookie ReCaptcha is setting is _GRECAPTCHA. Reading some comments regarding ReCaptcha, my impression is that the site should at least show a cookie notice or banner informing about the ReCaptcha cookie or a cookie statement.

SAP is not using the google.com domain, but recaptcha.net. Still, it is Google and not SAP.

Maybe this is all 100% OK, but I am very much interested to know how SAP manages to load data from Google (gstatic, recaptcha) and the user needs to transfer personal data – IP address – which is a problem when it comes to fonts. Is the difference that ReCaptcha cannot be hosted locally?

Accessing sap.com I get the usual cookie notice and a very comprehensive privacy policy. The dialog explains me in the settings the necessary and technically mandatory cookies and why they are needed. Like: technically mandatory, reason: to be able to log in. The data privacy contains a link to the cookie statement.

The cookie statement for sap.com contains a list of all cookies. The list of required cookies does not list JSESSIONID (from SAP IDS). As the document is not linked on either the SAP IDS logon page nor the SAP Universal ID landing page, is it still valid for these services?

The SAP UID privacy policy does not mention anything about cookies. What I found is that sharing my personal data is voluntarily:

“Kindly note that, although any provisioning of Personal Data is voluntarily to you, without your Personal Data, SAP cannot provide you with access to the Universal ID Service.”

Good to know that it is voluntarily, but when my personal data (IP address) is mandatory transferred to Google, I am not sure about the voluntarily aspect. The document says something about IP address too:

“Any such usage of registration data and IP addresses by SAP is necessary for SAP’s compliance with applicable EU Export Laws (Article 6 para. 1 (c) GDPR) and SAP’s legitimate interest to comply with non-EU Export Laws (Article 6 para. 1 (f) GDPR).”

The IP is used by SAP to ensure that someone from a country forbidden to use the service. I do not think that this is what ReCaptcha does. Seems the site is using CloudFront. CloudFront offers such a service.

So far what I came accross is that SAP Universal ID and ID Service web site are setting cookies without informing the user of this nor detail the required cookies. Data is loaded from Google and therefore personal data is shared with Google at page load.

I wrote an email to privacy at SAP raising the above questions. Their SLA is not aligned with my posting schedule so I did not receive back any information or clarifications regarding my questions. As soon as I get these I will share the outcome here. A cookie notice/banner/consent is necessary when technically required cookies are used. Informing the user that they are set is required. Some cookies might be considered optional. A different architecture can prevent early loading of files and cookie creation.

If a reader can provide insights or has expert knowledge on these topics, feel free to post a comment. IT law gets more and more important, and GDPR is a topic many of us have to deal with sooner or later.

How others do it

In the meantime I took a look at other service provides and how they handle the cookie or data privacy notice for their login pages. First, Azure. In the footer you can see a link to data privacy and cookies (Datenschutz & Cookies).

In the cookie statement from Microsoft for their Azure service they list some cookies they set.

As Azure, AWS is also including a link to data privacy and cookie statement.

Regarding ReCaptcha, I found several sites that give a warning, or ask their users explicitly to accept the usage of ReCaptcha. These sites also include additional information regarding the recaptcha cookie from Google.

Summary

Other companies include information about data privacy and cookie statements in their IdP sites. ReCaptcha is loaded after the user is either informed or accepted it, and normally only loaded when really needed. I am really curious why SAP is not doing it the same way.