Post AxlZId74sqPFu1L2ki by matiasgoldberg@mastodon.gamedev.place
(DIR) More posts by matiasgoldberg@mastodon.gamedev.place
(DIR) Post #AxixOFR7dn8RdM2uzg by aral@mastodon.ar.al
2025-08-31T09:08:32Z
4 likes, 6 repeats
Look, Jeff Atwood, it’s difficult to take you seriously when you write authoritatively on a subject you clearly don’t understand. GDPR doesn’t mandate cookie notices. Cookie notices are *malicious compliance* by the surveillance-driven adtech industry. If you’re not tracking people, you do not need a cookie notice, period. If you’re only using first-party cookies for functional reasons, you do not need a cookie notice, period. If you’re using third-party cookies to track people – i.e., if you’re sharing their data with others – then *you must have their consent to do so*. Because, otherwise, you are violating their privacy. Even then, the law doesn’t mandate a cookie notice. How would you conform to EU law without a cookie notice if your aim wasn’t malicious compliance?You would not track people by default and you would make it so they have to go your site’s settings to turn on third-party tracking if, for some inexplicable reason, they wanted that “feature”.Boom!No cookie notice necessary.What’s that? But that would destroy your business because your business is founded on the fundamental mechanic of violating people’s privacy?Good.Your business doesn’t deserve to exist.Because the real bullshit here isn’t EU legislation that protects the human right to privacy, it’s the toxic Silicon Valley/Big Tech business model of farming people for data that violates everyone’s privacy and opens the door to technofascism. https://infosec.exchange/@codinghorror/115120175033311443
(DIR) Post #Axixfmn0t7WS01eFWq by urlyman@mastodon.social
2025-08-31T09:11:22Z
0 likes, 0 repeats
@aral excellent ✊
(DIR) Post #Axiy9lrYtikJoT4dDE by writingslowly@aus.social
2025-08-31T09:17:08Z
0 likes, 0 repeats
@aral whether or not this is technically correct it totally nails how I feel about cookie notices. They're obviously compliance theatre. I hate them all, especially when you have to accept 'necessary cookies' or else you get them all (you probably get them all anyway). Plus which data privacy gaslighter even needs cookies now? They've probably moved on to even more invasive methods. Oh, did I mention I hate cookies and their stupid fake notices?
(DIR) Post #AxiyFM0jvZftN81qYS by ma1@todon.eu
2025-08-31T09:17:40Z
0 likes, 0 repeats
@aral GDPR for dummies👌
(DIR) Post #AxiyMjAoD0GpEhFqCG by TCatInReality@mastodon.social
2025-08-31T09:19:29Z
0 likes, 0 repeats
@aral 🎯Not enough people understand how techbros choose horrible user interfaces and design/moderation decisions to turn people against even the most basic and essential customer safety regulations. I believe the current age-gating outrage is astroturfed too.
(DIR) Post #AxiyRiEj7S0TmKSphg by aral@mastodon.ar.al
2025-08-31T09:19:30Z
0 likes, 0 repeats
@writingslowly There’s an easy solution to that. We pass a GDMR and effectively outlaw their business model (don’t hold your breath).https://ar.al/2018/11/29/gdmr-this-one-simple-regulation-could-end-surveillance-capitalism-in-the-eu/
(DIR) Post #AxizPYxKkk6aN1rqJE by yahe@chaos.social
2025-08-31T09:31:09Z
0 likes, 0 repeats
@aral @marix You‘re correct on a wholly different level.GDPR doesn’t mandate cookie notices.Actually, the GDPR isn’t relevant regarding cookies at all. But Directive 2002/58/EC as lex specialis to the GDPR is.
(DIR) Post #AxizVnwfw4Wkb3XHVo by qqmrichter@mastodon.world
2025-08-31T09:31:45Z
0 likes, 0 repeats
@aral @codinghorror Are we sure that Jeff Atwood isn't an early LLM experiment? The straight-up overconfidence as he spouts completely incorrect and ignorant shit feels an awful lot like ChatGPT and its coterie of concussed digital parrots.Oh, wait. The "voice" of these is modelled after what techbrodudes think sounds smart. I may have put the teleological cart before the horse.
(DIR) Post #AxizxwPM47iqx2MoLI by fabienmarry@mastodon.social
2025-08-31T09:37:11Z
0 likes, 0 repeats
@aral @codinghorror and wasnt his second suggestion already tried, as the do not track feature feature built into browsers then promptly ignored by ad tech?
(DIR) Post #Axj0TWgPFIlsQvP4l6 by knud@mastodon.social
2025-08-31T09:43:00Z
0 likes, 0 repeats
@aral I'm running a website for a science consortium and we don't track, we don't sell anything, and we don't have to worry about visitor data storage and protection, and we do not need any cookie clicked on the site. Very simple, very relaxing.It also prevents the need for a data protection responsible person, because no data is being collected.
(DIR) Post #Axj118hAwBf9snn7I0 by slowe@mastodon.me.uk
2025-08-31T09:49:08Z
0 likes, 0 repeats
@aral Exactly. And his "all websites" particularly grates because I could point him at a bunch of websites I've been involved with that don't have any cookie notice for the reasons you say.
(DIR) Post #Axj22JgvdjsWEKnjDk by vnikolov@ieji.de
2025-08-31T10:00:36Z
0 likes, 0 repeats
Indeed.Now, how to make Jeff Atwood and those who listen to him take heed?Regrettably, I don't know...🙁@aral
(DIR) Post #Axj2geR7vgHy9ZdvJg by aral@mastodon.ar.al
2025-08-31T10:07:46Z
0 likes, 0 repeats
@yahe @marix That’s why I used “EU law” and “EU legislation” everywhere else but without the lex generalis, we wouldn’t have the lex specialis.
(DIR) Post #Axj2vkkejU465Byjho by aral@mastodon.ar.al
2025-08-31T10:10:39Z
0 likes, 0 repeats
@fabienmarry @codinghorror Yes. I’d be completely fine with legislating that every browser reinstate that feature, have it on by default, and compel sites to obey it without asking again. That would also solve the problem.
(DIR) Post #Axj33ZmtNd24OZks1g by DiogoConstantino@masto.pt
2025-08-31T10:11:45Z
0 likes, 0 repeats
@aral they are even almost never compliance as most of them don't follow requirements for being compliant by making it hard to refuse all, and by having so much information and "partners", that makes it impossible for any human been to actually be informed by all of them, and therefore, can't ever exist informed consent.
(DIR) Post #Axj3K9bly2xQ7mSVPs by coral@empty.cafe
2025-08-31T10:14:55Z
0 likes, 0 repeats
@aral @cstross why is Jeff anchoring this around a 15 year old vuln anyway?
(DIR) Post #Axj3QB4NRmT6OVi7Hs by aral@mastodon.ar.al
2025-08-31T10:15:25Z
0 likes, 0 repeats
@vnikolov I think Upton Sinclair said it best… :)
(DIR) Post #Axj3WhC8v2jJlaS1Ts by aral@mastodon.ar.al
2025-08-31T10:16:39Z
0 likes, 0 repeats
@coral @cstross 🤷♂️
(DIR) Post #Axj4benZM87Rjit1cW by aral@mastodon.ar.al
2025-08-31T10:29:20Z
0 likes, 0 repeats
@mkj This.
(DIR) Post #Axj4xt257AVkFmH4YS by jenesuispasgoth@pouet.chapril.org
2025-08-31T09:48:08Z
0 likes, 0 repeats
@knud but even if you sold something, you would not need to put up a cookie banner : to sell something you require some information to complete the sale (address where to ship, and/or info about the means to pay for the good or service sold). None of that would be illegitimate. @aral
(DIR) Post #Axj4xuJ8NFkICxGCm0 by michelv@oisaur.com
2025-08-31T10:22:50Z
0 likes, 0 repeats
@jenesuispasgoth @knud @aral I work in e-commerce in Europe. Mostly the banners are there because such websites do use a lot of third party services for purposes that range from marketing campaign monitoring to user session recordings (for debugging). Apart from developing everything in house or hosting the tools, there aren’t a lot of ways to avoid the banners.
(DIR) Post #Axj4xvJWdHeXKSS21Q by aral@mastodon.ar.al
2025-08-31T10:32:53Z
0 likes, 0 repeats
@michelv @jenesuispasgoth @knud Use first-party tools or privacy respecting ones. It’s entirely possible if the desire is there.
(DIR) Post #Axj7AlVwZwdAbnVkFk by bitboxer@mastodon.social
2025-08-31T10:58:03Z
0 likes, 0 repeats
@aral @geeksam @codinghorror also: there was a Browser Setting. It was misused by the tracking industry and because of that worthless and removed 🤬
(DIR) Post #Axj8gTegc5pAROHlVg by sassdawe@infosec.exchange
2025-08-31T11:15:06Z
0 likes, 0 repeats
@aral this is why #GitHub was able to remove the banner back in 2020 - the good old days.https://github.blog/news-insights/company-news/no-cookie-for-you/Funny enough, 5 years later the banner is back on $GitHub Blog, I guess being owned by $MSFT changes things...
(DIR) Post #Axj8sIv0MHPgcGYeDA by praerien@mastodon.nu
2025-08-31T11:17:16Z
0 likes, 0 repeats
@aral I didn't read the 🦷 from Jeff. I fully understand the no tracking and I'm glad I live in the eu and privacy is taken seriously. But I also understand the need for cookies , at least for analytics and I think the cookie consent ux is awful. I get cookie consent blind and click allow all ... Usually the default.. to get to the content. It could be super nice if the cookie-banners could steered by request accept headers as standard. In that way I would only need to set the browser settings
(DIR) Post #AxjA9fXlajnTfEX4hE by freediverx@mastodon.social
2025-08-31T11:31:37Z
0 likes, 0 repeats
@aral @codinghorror Thanks for this response. That post pissed me off and I was wondering how long I’d have to wait for someone to call out the Benevolent Plutocrat on his bullshit.
(DIR) Post #AxjArXurJORekWFvJw by branleb@legal.social
2025-08-31T11:39:36Z
0 likes, 0 repeats
@aral @yahe @marix yes, we would. The mentioned ePD covers also non-personal data, thus is not necessarily lex specialis to the GDPR. This is why the ePD e.g. covers all cookies, not only tracking (or browser fingerprinting, or ..., and also responsive Design (but does not mandate aquiring consent for that as it is functional for the service requested by the user)).
(DIR) Post #AxjDCoh8KAGemE6dua by rozeboosje@masto.ai
2025-08-31T12:05:51Z
0 likes, 1 repeats
@aral exactly. The EU needs to mandate that 1. Every browser needs to, by default, be set to allow "strictly necessary cookies" only.2. Every site that wants to serve EU users must honour this setting.3. Impose massive fines on sites that don't do this or that choose to interpret "strictly necessary only" in "creative" ways.So that anybody who does not want other cookies has to exactly nothing to achieve that.
(DIR) Post #AxjFtaRNOdViveG3u4 by leeloo@chaosfem.tw
2025-08-31T12:35:57Z
0 likes, 1 repeats
@aralEven simpler: Look at the DNT http header.Only fall back to cookie notices when the browser doesn't send it.It was interesting how quickly Mozilla deprecated the DNT header after an EU court ruled that yes, it is a valid answer.
(DIR) Post #AxjGSRCXjufqPQwEIy by tarmil@mastodon.tarmil.fr
2025-08-31T12:42:15Z
0 likes, 0 repeats
@aralReally the main problem of this enforcement is that it came too late, when (almost) everyone was already dependent on collecting private data. That made it easy for the industry to collectively decide that intrusive popups would be the simplest way to comply.What were people going to do, take their business to the competition? Doesn't matter, they do it too. If regulation had come earlier, then the first ones to use popups would have been seen as obnoxious assholes and lost visitors.
(DIR) Post #AxjGZ3GH95H4Bjq02q by eseilt@mastodon.scot
2025-08-31T12:42:32Z
0 likes, 0 repeats
@aral all correct. My own criticism of that EU law is that they didn't bother to check if there were ever any reason to let yourself be voluntarily tracked - there isn't. The whole thing should've been a law that makes it illegal.
(DIR) Post #AxjLNsDiM8e2Wu83kG by LiquidParasyte@pawb.fun
2025-08-31T13:37:13Z
0 likes, 0 repeats
@aral "Yes, you can naively argue that every website should encrypt all their traffic all the time, but to me that's a "boil the sea' solution."Talk about takes that didn't age well
(DIR) Post #AxjMNsYBEF3LVXGgKG by aral@mastodon.ar.al
2025-08-31T13:47:04Z
0 likes, 0 repeats
@vex True.
(DIR) Post #AxjMUmuIbn3Y24uODw by michelv@oisaur.com
2025-08-31T13:47:35Z
0 likes, 0 repeats
@aral @jenesuispasgoth @knud it is partly possible indeed; thing is, it costs much more money in initial setup and recurring upkeep, with less flexibility and no tangible benefit in a market where users have "accepted" the ubiquity of the banner.
(DIR) Post #AxjMb4OCWT6zzStGL2 by aral@mastodon.ar.al
2025-08-31T13:49:18Z
0 likes, 0 repeats
@eseilt Couldn’t agree more.https://ar.al/2018/11/29/gdmr-this-one-simple-regulation-could-end-surveillance-capitalism-in-the-eu/
(DIR) Post #AxjMn4kwz5NgbTFw5g by aral@mastodon.ar.al
2025-08-31T13:50:20Z
0 likes, 0 repeats
@leeloo This.
(DIR) Post #AxjMuTPBjphf4tbXOa by aral@mastodon.ar.al
2025-08-31T13:52:07Z
0 likes, 0 repeats
@rozeboosje That would work. https://ar.al/2018/11/29/gdmr-this-one-simple-regulation-could-end-surveillance-capitalism-in-the-eu/
(DIR) Post #AxjNEgmvgsCkNNLgrQ by bleepbloop@ravenation.club
2025-08-31T13:58:11Z
0 likes, 0 repeats
@aral beautifully put.
(DIR) Post #AxjNfRHlRA1Y78Wj6u by aral@mastodon.ar.al
2025-08-31T14:03:06Z
0 likes, 0 repeats
@praerien 1. You don’t need third-party cookies for analytics. Services exist that provide analytics without third-party tracking.2. The “UX” (design) of cookie consent banners is anti-pattern implemented by the adtech industry exactly to invoke this reaction and misdirect your ire from the tracking itself to the law meant to protect your rights.3. Your suggested solution would, indeed, nip this in the bud. This is why the surveillance industry made sure to remove Do Not Track the moment they realised it could be used for this purpose. (After all, it has served Mozilla/Silicon Valley’s purpose of delaying regulation for a decade and now had become a liability.)
(DIR) Post #AxjNlzhgNtzib5m9sO by aral@mastodon.ar.al
2025-08-31T14:03:24Z
0 likes, 0 repeats
@bleepbloop 💕
(DIR) Post #AxjNsL63l40WgVCfw0 by aral@mastodon.ar.al
2025-08-31T14:04:21Z
0 likes, 0 repeats
@michelv @jenesuispasgoth @knud Yes, it is easier to violate human rights than to respect them. Doesn’t make it right.
(DIR) Post #AxjPcM1gjakcqHfFOi by Dss@infosec.exchange
2025-08-31T14:24:52Z
0 likes, 0 repeats
@aral So in your world, how do you sell a customer a thing, without having to have a salesman call them? Oh wait, phone numbers can't be collected either, without permission... Yes, many sites are using it for adverts, but lots are also trying to sell a product that isn't the browser.
(DIR) Post #AxjPthHowVOxhcToI4 by Dss@infosec.exchange
2025-08-31T14:27:52Z
0 likes, 0 repeats
@aral @fabienmarry @codinghorror That's a better solution, and then you only meet the committee notice when you add something to a basket, or log in, or whatever. A bit like auto blocking those "Follow this website?" notifications until you at least interact with the website!
(DIR) Post #AxjQ2jrej8oCIvYKtU by shram86@mastodon.gamedev.place
2025-08-31T14:29:30Z
0 likes, 0 repeats
@aral infosec.exchange is proving to be an instance worth ignoring over misinformation and malpractice
(DIR) Post #AxjQDvsMPRjck5DhLM by michelv@oisaur.com
2025-08-31T14:31:38Z
0 likes, 0 repeats
@aral @jenesuispasgoth @knud you’re right, I’m a soulless monster. Hyperbole much?
(DIR) Post #AxjQM7nHyvWU1Skoy0 by aral@mastodon.ar.al
2025-08-31T14:32:12Z
0 likes, 0 repeats
@Dss In my world, which the same world you live in, if a person provides their phone number to have a sales person call them, they are consenting to have the sales person call them and you can use their phone number for the purpose of having a sales person call them which is what the person has given you permission to do.Do you need a cookie notice for that?No.(That said, it’s not my job to fix toxic business models.)
(DIR) Post #AxjQXQmTjGOe5wlZWi by fzimper@bildung.social
2025-08-31T10:38:40Z
0 likes, 0 repeats
@vnikolovpost removed as my link was already in the original posting. I still think it would've been better to post this as a reply to Jeff's post.@aral
(DIR) Post #AxjQXSQDczmNBUMp6m by webhat@infosec.exchange
2025-08-31T10:44:23Z
0 likes, 0 repeats
@fzimper @aral blocked for snitch tooting
(DIR) Post #AxjQXTbFFUC2pyX8vw by Dss@infosec.exchange
2025-08-31T14:31:13Z
0 likes, 0 repeats
@webhat @fzimper @aral I'm blocking you for being an idiot. "snitch tooting"? The exactly two people already in the conversation?
(DIR) Post #AxjQXUngmhk2YrMay8 by aral@mastodon.ar.al
2025-08-31T14:34:01Z
0 likes, 0 repeats
@Dss @fzimper And you’re (NKT) getting blocked for your comment to @webhat.
(DIR) Post #AxjQg9dephnFXFnfO4 by aral@mastodon.ar.al
2025-08-31T14:34:51Z
0 likes, 0 repeats
@shram86 I’d reconsider. There are good folks there too, like @webhat.
(DIR) Post #AxjQmldUTNH57SsK36 by claudius@darmstadt.social
2025-08-31T14:32:57Z
0 likes, 0 repeats
@rozeboosje @aral 4. Actually enforce those laws.
(DIR) Post #AxjQmmYv1rDBzZkBYu by aral@mastodon.ar.al
2025-08-31T14:35:38Z
0 likes, 0 repeats
@claudius @rozeboosje This.
(DIR) Post #AxjQt4DoHg3eV2rpo0 by aral@mastodon.ar.al
2025-08-31T14:37:25Z
0 likes, 0 repeats
@michelv @jenesuispasgoth Your words, not mine.
(DIR) Post #AxjQzzeve7eeNNr38S by knud@mastodon.social
2025-08-31T14:34:58Z
0 likes, 0 repeats
@michelv @aral @jenesuispasgoth How about leaving me out of this thread continuation, thank you.
(DIR) Post #AxjR00vcvWbcJSftnk by aral@mastodon.ar.al
2025-08-31T14:38:00Z
0 likes, 0 repeats
@knud 👍
(DIR) Post #AxjRIO2PkFoDCLbu0u by simoncox@seocommunity.social
2025-08-31T14:43:36Z
0 likes, 0 repeats
@aral @codinghorror Well said @aral 👏👏👏
(DIR) Post #AxjRWRAgtKxiyFBJL6 by webhat@infosec.exchange
2025-08-31T14:46:06Z
0 likes, 0 repeats
@aral @shram86 I think every instance has questionable people on their. If you see misinformation please report it, the moderators and instance owner @/jerry take in very seriously
(DIR) Post #AxjS0irTgVT6WUdU7k by dmarti@federate.social
2025-08-31T14:51:39Z
0 likes, 0 repeats
@aral @Dss Lin et al. found that ad blocker users are more satisfied with the products and services they buy than non-users. There _is_ a theoretical economic role of advertising but surveillance advertising is failing at itLots of pro-surveillance advocacy from academics—but they don't cite some of the best sources in their own field, or some of the best points in the body copy of the papers they do cite—even Google refers to de-personalizing the ads as a "protection"https://blog.zgp.org/advertising-personalization-good-for-you/
(DIR) Post #AxjSOkEKFRTxiXmFxg by rigo@mamot.fr
2025-08-31T14:55:56Z
0 likes, 0 repeats
@aral this was DNT and DNT was killed by BROWSERS. Because lumpsum unintelligible data collection notices allowed to continue all evil practices with just a change on a web notice. So the argumentation of @codinghorror is particularly torn.
(DIR) Post #AxjSZCsoZUtrTlhk2K by zbrando@social.vivaldi.net
2025-08-31T14:57:54Z
0 likes, 0 repeats
@aral I wrote something like this a couple of times here. People don't understand that there is no need for cookie banners for the technically necessary cookies the website need to function, only for the optional shit that usually is tracking. And that those banners are full of dark patterns, made to annoy users so they click on "agree to all".
(DIR) Post #AxjSgZ8AFo7qVQORGq by ryanroberts@mastodon.social
2025-08-31T14:58:35Z
0 likes, 0 repeats
@aral @steverowling I’m always sure to let clients know they don’t need a cookie banner if they’re not tracking people. And funnily enough many of them hate cookie banners enough to not bother with GA or whatever else. I do offer @Plausible for insights into website usage though. Sadly clients who want to advertise or hire marketing companies are a different story.
(DIR) Post #AxjZT81gPrFYMCtwmm by thorstenbutz@twit.social
2025-08-31T16:15:12Z
0 likes, 0 repeats
@aral That’s the problem with theory and practise : in real life an army of lawyers and „experts“ advice you to behave exactly like all the others. And all the public services provide bad examples since they behave exactly in the same wrong way. In reality, GDPR brought the opposite results of what we wanted to achieve.
(DIR) Post #Axja9a0claI7J6eGY4 by hyperlinkyourheart@mastodon.ie
2025-08-31T16:22:47Z
0 likes, 0 repeats
@aral Oof, the doubling down in the replies... 🫣
(DIR) Post #AxjazDdHCuBgxwLpho by atax1a@infosec.exchange
2025-08-31T16:32:12Z
0 likes, 0 repeats
@aral jeff atwood talking authoritatively about a subject he doesnt understand? must be a day ending in y
(DIR) Post #AxjfQhFlaM1ET6iEMK by hey@social.nowicki.io
2025-08-31T17:21:45Z
0 likes, 0 repeats
@aral small correction. You can still track people, just not share it with everyone and their dog. If you have data in your system you're free to use it for analytics. As long as it's anonymized, so, properly aggregated. No consent needed.
(DIR) Post #AxjfkgAHLGoyssfqK0 by Oytis@mastodon.social
2025-08-31T17:25:39Z
0 likes, 0 repeats
@aral It's not just adtech. Every business, including small ones, wants analytics. If you voluntary refuse to track your visitors, you are putting your business to a disadvantage - that's just a law of nature in a free market society that businesses will try to avoid it. So any legislation introduced should account to it, and either make malicious compliance impossible or not introduce restrictions that are contrary to common practice at all.
(DIR) Post #Axjgxu9qj9kG0ALMB6 by veronica@mastodon.online
2025-08-31T17:39:08Z
0 likes, 0 repeats
@aral Not only that, but a lot of cookie banners make it easy to give consent but put a huge barrier to withdraw it. They're required to be the same.
(DIR) Post #AxjhXy5vZHCSdVhnV2 by aral@mastodon.ar.al
2025-08-31T17:45:46Z
0 likes, 0 repeats
@Oytis You don’t need third-party cookies to implement analytics.
(DIR) Post #AxjhrvrBb70RUIKVOq by aral@mastodon.ar.al
2025-08-31T17:49:18Z
0 likes, 0 repeats
@hey Yes, aggregate analytics – what you describe – does not constitute tracking.(That is different from anonymised data; anonymised data can be deanonymised using other data sets – a common practice within the people farming industry.)
(DIR) Post #AxjiTXI3NsXMIdpNOy by uncanny_static@chaos.social
2025-08-31T17:46:37Z
0 likes, 0 repeats
@disorderlyf @aral This feature already exists. It is just that ad-tech ignored that users were sending a do-not-track request and instead they opted for trying to nudge everyone into accepting their surveillance, by making obnoxious cookie banners. https://en.wikipedia.org/wiki/Do_Not_Track
(DIR) Post #AxjiTYhc8KZqgCnIsi by aral@mastodon.ar.al
2025-08-31T17:56:09Z
0 likes, 0 repeats
@uncanny_static @disorderlyf It’s worse than that: this was a feature spearheaded by Mozilla (Silicon Valley’s acceptable face) and it had the very real effect of staving off regulation for a decade (“look, we are self regulating”). The moment people realised it could be used to communicate consent within the framework of GDPR, the feature was deprecated.Sadly, some folks still think Mozilla are the good guys.
(DIR) Post #Axjj4brdLEQfCS9Eu0 by whvholst@eupolicy.social
2025-08-31T18:02:40Z
0 likes, 0 repeats
@aral Minor nitpick: the cookie banners are not even malicious compliance since they tend to rely on consent without meeting the requirements for said consent. More like performative non-compliance then.
(DIR) Post #AxjjnNR1pqb9Tp3Bq4 by hey@social.nowicki.io
2025-08-31T18:10:53Z
0 likes, 0 repeats
@aral sure sure. It's important to ensure deanonymization is at minimum extremely expensive, impossible at best.
(DIR) Post #AxjoLLbRYKQZScNMBM by dragonarchitect@rubber.social
2025-08-31T19:01:46Z
0 likes, 0 repeats
@aral Genuine question:If I hosted my own private analytics tracker (something like Matomo (née Piwik), e.g.) just so I could have funny numbers to look at because I like to look at numbers but do nothing meaningful with them, would that require a cookie banner?I'd pondered about just having a static notice in the footer of my site that just says "This site uses some functional cookies and one (1) tracking cookie for a self-hosted analytics dashboard because I like to look at Numbers™."
(DIR) Post #Axjrn1eLdCTrY1cjzc by ParadeGrotesque@mastodon.sdf.org
2025-08-31T19:40:28Z
0 likes, 0 repeats
@aral THIS. 1000x THIS.
(DIR) Post #AxjuOttb6ntWPZwd6m by elricofmelnibone@mastodon.social
2025-08-31T20:09:48Z
0 likes, 0 repeats
@aral Jeff is a clever cookie. He knows this. I don't know why he's being obnoxious about this.
(DIR) Post #AxjvD7UmoqKf4OHmlc by patwood@mastodon.social
2025-08-31T20:18:52Z
0 likes, 0 repeats
@aral Thanks for this. Many believe a cookie notification is the only way to be GDPR compliant. None of my websites have them. The fact that I use very few frameworks and need only simple analytics helps. And I intend to keep it that way.
(DIR) Post #Axk09wu2FIf97RP3g0 by NymanTech@fosstodon.org
2025-08-31T21:14:16Z
0 likes, 0 repeats
@aral Hell to the Yeah.
(DIR) Post #Axk54pvNGOZ7naPXeq by encthenet@flyovercountry.social
2025-08-31T22:09:24Z
0 likes, 0 repeats
@aralThe hilarious part was that this WAS a browser feature, dnt, but the industry didn't like that everyone enabled DNT so they refused to use it and use cookie pop ups instead. He doesn't even know that basic history either.
(DIR) Post #Axk5W1a429JLljPKW8 by joriki@infosec.exchange
2025-08-31T22:14:15Z
0 likes, 0 repeats
@aral 💥
(DIR) Post #AxkIoc3USXprVeMiAq by codinghorror@infosec.exchange
2025-09-01T00:43:30Z
0 likes, 0 repeats
@aral see https://infosec.exchange/@codinghorror/115125536547866194 and https://infosec.exchange/@codinghorror/115125608059317211 and https://infosec.exchange/@codinghorror/115125640938926097 and https://mastodon.social/@JeffGrigg/115125709120669754
(DIR) Post #AxkkDqKVDpl5maZtDM by ensoyote@furry.engineer
2025-08-31T20:45:56Z
0 likes, 1 repeats
@aral I had a brief and regrettable stint at a German ad tech firm while GDPR came into force. The conversation in the room was literally "how do we make this as inconvenient as possible for people so that they just click accept?" Advertising should be illegal.
(DIR) Post #AxkkItz53vCEZ4yDQ0 by aral@mastodon.ar.al
2025-09-01T05:51:01Z
0 likes, 0 repeats
@patwood 💕
(DIR) Post #AxkkOELqlTURBGA3iy by aral@mastodon.ar.al
2025-09-01T05:51:41Z
0 likes, 0 repeats
@elricofmelnibone Upton Sinclair has entered the chat.
(DIR) Post #AxklBxtoCxWCdMlDBQ by tecteun@mastodon.social
2025-09-01T06:01:32Z
0 likes, 0 repeats
@aral very true, I found his opinion disturbing too 👍 the site I recently built does not use cookies for tracking, therefore has no annoying pop-ups at all, legally!
(DIR) Post #AxklfjQYZuyqRDGusS by aral@mastodon.ar.al
2025-09-01T06:06:50Z
0 likes, 0 repeats
@GeorgWeissenbacher @writingslowly I’m one of those experts.Yes, regulation, like any legislation can be good or bad. That said, if you run, say a construction company, a lawyer does explain to you what can and can’t be built. You don’t just get to dig up a park and put in luxury apartments because you feel like it. You don’t get to construct a factory and dump your sewage into the sea. Or, more to the point, if you run a cinema, you don’t get to put cameras in the bathrooms. There are many things you don’t get to do if you run a company because they would infringe on the rights of others and your right to make a profit doesn’t supersede that.I hope you’re teaching your students that they should be thoughtful in what they build so that it benefits humanity. We don’t need more things, we need more things that improve human welfare. And the last thing we need are more libertarian techbros who think they can do whatever they want in pursuit of their gluttonous profiteering and that rules don’t apply to them. That’s how we end up with technofascism.
(DIR) Post #Axkm8t1vxDZAcPemVk by aral@mastodon.ar.al
2025-09-01T06:11:51Z
0 likes, 0 repeats
@dragonarchitect The easiest way is to keep aggregate stats collected on the server and you won’t need to ask for individual consent.
(DIR) Post #Axkxk87RupMHcuCLfU by miles_leif@mastodon.social
2025-09-01T08:21:59Z
0 likes, 0 repeats
@aral The sentiment that cookie banners are mandatory hit so deep, that I have needed to argue with clients how they don't need a banner or consent at all (because they are actually not tracking or advertising) and they still wanted to have it because "everybody has it and wouldn't that make us look unprofessional?" – sure, they misunderstood and I could clarify but boy oh boy, the damage done... -.-
(DIR) Post #Axl4SPheV2Zcd2dBmi by david_chisnall@infosec.exchange
2025-09-01T09:26:06Z
0 likes, 0 repeats
@urlyman @aral It's often not even malicious compliance. Most of these banners don't even meet the requirements of the GDPR, specifically that you must be able to withdraw consent at any time and that you mist give informed consent (i.e. that you must know what you have consented to to be able to grant consent).@noybeu is doing a great job going after some of these people.
(DIR) Post #Axl4SQwDuLp6SWSL8S by aral@mastodon.ar.al
2025-09-01T09:37:08Z
0 likes, 0 repeats
@david_chisnall @urlyman @noybeu Indeed. And yes they are but enforcement of GDPR should fall on the shoulders of more than one small law firm. Good thing they exist but it also shows how messed up the system is in general.
(DIR) Post #AxlV1vMXNd37lKLeIC by kel@mastodon.online
2025-09-01T14:35:07Z
0 likes, 0 repeats
@aral HEAR! FUCKING! HEAR!DEATH TO CAPTCHA!!!LONG LIVE THE FREE INTERNET!!!
(DIR) Post #AxlZId74sqPFu1L2ki by matiasgoldberg@mastodon.gamedev.place
2025-09-01T15:22:59Z
0 likes, 0 repeats
@aral Misleading. If you implement first party cookies for your own analytics to improve your website (like... what content is more popular, what pages are broken from UX standpoint), you still have to show the cookie notice.Whether it's first or third party is not part of the equation.
(DIR) Post #AxleUtUeJ91lx01zPc by aral@mastodon.ar.al
2025-09-01T16:21:06Z
0 likes, 0 repeats
@matiasgoldberg Yes it is very much part of the equation.A first-party functional cookie (e.g., to store log-in state): no consent necessary.First-party *aggregate* statistics: no consent necessary.
(DIR) Post #AxlgxBaoo8EY6NXEuG by matiasgoldberg@mastodon.gamedev.place
2025-09-01T16:48:50Z
0 likes, 0 repeats
@aral Start filtering by anything useful like first time visitors, Country and age bucket and it quickly stops being "aggregate".
(DIR) Post #AxllwxC4qIJPDNffns by aral@mastodon.ar.al
2025-09-01T17:44:43Z
0 likes, 0 repeats
@matiasgoldberg I said aggregate not “anonymised”. The latter is bullshit.
(DIR) Post #AxnCQ5AZ3nUyJaTR6e by grievousangel@ravenation.club
2025-09-02T10:16:05Z
0 likes, 0 repeats
@aral @codinghorror I remind you that this is Jeff Attwood you are finger wagging at here. He is wrong on this take. But if you really think this invalidates his critique of capitalism or his significant charity work then I think you might consider reappraising your position. And picking a better target next time.
(DIR) Post #AxnOsu8qL5NNxdB8C0 by andreasio@mastodon.social
2025-09-02T12:35:44Z
0 likes, 0 repeats
@aral 99 % agree. But to be fair, the cookie banner did serve as an important wake up call, back in the day. It's also, to this day, an easy way to discern which pages absolutely don't give a shit. But 100 % agree that if no data is collected, no consent is required. (Cookiebanner != gdpr consent)
(DIR) Post #AxnRuFbqJ90Eh54nSa by craignicol@glasgow.social
2025-09-02T13:09:22Z
0 likes, 0 repeats
@aral it's hardly the first time he's posted on a subject he doesn't understand
(DIR) Post #AxnS6P5esrGvZbojya by craignicol@glasgow.social
2025-09-02T13:11:11Z
0 likes, 0 repeats
@aral if GitHub doesn't need a cookie banner, there's no technical reason for a sure to have them, it's always a privacy reason https://techcrunch.com/2020/12/17/github-says-goodbye-to-cookie-banners/
(DIR) Post #AxnVwtGuDNqq6GnVJo by andrewrk@mastodon.social
2025-09-01T20:03:26Z
0 likes, 0 repeats
@codinghorror @aral you make money from ads on stack exchange so you are biased in the conversation.switch business models to be ad-free and then I want to hear your perspective after that.
(DIR) Post #AxnVwu8mz2x8nO0XJ2 by codinghorror@infosec.exchange
2025-09-02T13:48:52Z
0 likes, 0 repeats
@andrewrk @aral I'm biased as a user of the internet who is SO FUCKING TIRED OF CLICKING ON COOKIE BANNERS
(DIR) Post #AxnVwunCYnHMoiuoIS by aral@mastodon.ar.al
2025-09-02T13:54:38Z
0 likes, 0 repeats
@codinghorror @andrewrk I think what people are trying to tell you is that you’re part of the problem.You’re not just any “user of the internet”, you’re a developer. You have agency. Don’t like cookie banners? Great! Lead by example: remove them from the sites you own and control (i.e., stop tracking people on the sites you own and control. Find other ways to make money.)
(DIR) Post #AxnoR5bEk76ECGrBAG by williampietri@sfba.social
2025-09-02T17:21:52Z
0 likes, 0 repeats
@aral "It is difficult to get a man to understand something when his salary depends on his not understanding it." -- Upton Sinclair@codinghorror @andrewrk
(DIR) Post #AxnpeUTPfpe13o9RWS by orman@furry.engineer
2025-09-02T17:35:27Z
0 likes, 0 repeats
@aral @codinghorror @andrewrk the first linked comment especially leans towards the businessperson perspective - sure, content creators want to make money off personal data by selling ads, but nobody is entitled to get that data unobtrusively. If you want it, you need to put up the banner.
(DIR) Post #AxoM5CH4dswQy99rzU by mikesax@mas.to
2025-09-02T23:39:07Z
0 likes, 0 repeats
@aral @codinghorror Look, Aral Balkan, we could have a very juicy and polarizig conversation about this, but it wouldn’t help the cause. 🤓 And the cause, as I understand it, is to advance the privacy of citizens, with fully informed consent and as little hassle as needed. I believe that a large portion of the cookie banners on the web are presented just because that’s the default. 1/4
(DIR) Post #AxpL5SskzOsfgIJ9UG by Scoll@mastodon.social
2025-09-03T11:02:31Z
0 likes, 0 repeats
@aral The goal of the GDPR was to get companies to STOP tracking users There's no reason that they couldn't have made their websites non-tracking by default, or configurable at the browser. Instead they want to make the user annoyed that they have to say no, every time. This is very similar to the way we got to the point of banning plastic straws when we wanted to ban plastic fishing nets.
(DIR) Post #Axr4EtLQf6pnSFY37Y by cuu508@toot.lv
2025-09-04T06:30:16Z
0 likes, 0 repeats
@mathew @mkj @praerien @aral some do, some don't. Some don't because they're oblivious, some intentionally.You can check in Chrome: load a page in Incognito window, then press F12 to open developer tools, then go to Application > Cookies, and see if there's _ga, _fbp, or any of the other usual suspects.
(DIR) Post #Axr4EulhMvRRs0qXho by cuu508@toot.lv
2025-09-04T06:36:43Z
0 likes, 1 repeats
@mathew @mkj @praerien @aral I made a script that tracks Latvian websites that have the "load cookies first then ask for permission" problem: https://sīkdatnes.lvFor problematic sites, I send an informal email explaining the problem and asking to fix it. In case of no action, I send a formal, signed complaint. And then in case of no action, I report them to our country's DPA.In quite a few cases the informal email is enough, and the issue gets acknowledged and fixed.
(DIR) Post #Axr4EvGtUwOZQlRSKW by aral@mastodon.ar.al
2025-09-04T07:03:13Z
0 likes, 0 repeats
@cuu508 @mathew @mkj @praerien Nice :)
(DIR) Post #AxrtCKM4sPnC1HO0Ho by andrewrk@mastodon.social
2025-09-02T17:01:56Z
0 likes, 1 repeats
@codinghorror @aral my website does not have cookie banners but yours does
(DIR) Post #Axxu8pwOlUuLj32AGu by ujay68@mastodon.world
2025-09-07T14:13:02Z
0 likes, 0 repeats
@aral 🏆
(DIR) Post #AxzFGT1IA3zB9JlKaW by Kierkegaanks@beige.party
2025-09-08T05:44:22Z
0 likes, 0 repeats
@aral but it’s making predatory business slightly more cumbersome 😭