[HN Gopher] New browser signal could make cookie banners obsolete
___________________________________________________________________
New browser signal could make cookie banners obsolete
Author : chdlr
Score : 258 points
Date : 2021-06-16 08:03 UTC (14 hours ago)
(HTM) web link (www.dataprotectioncontrol.org)
(TXT) w3m dump (www.dataprotectioncontrol.org)
| rosmax_1337 wrote:
| I've done some basic reading on GDPR but can't honestly say I
| have it completely figured out. Can someone help me out with a
| use case that I come across frequently? Selling tracking data to
| third parties is the kind of thing noone wants to actually opt in
| to, and what I imagine GDPR partially tries to combat. (among
| other things)
|
| What about site statistics keeping? If say a newspaper collects
| statistics about visitors to their articles, and does
| browser/user tracking by implementing cookies, for __internal__
| use, rather than selling data to third parties. Is a cookie
| banner still neccesary for that kind of consent?
|
| Personally, I don't care if my IP appears on any website log that
| I have visited, or if a unique cookie ID becomes present on the
| site until I clear my cookies. If i cared about my IP being
| tracked, or cookie IDs like that, I would browse using a VPN and
| "Private mode" in browser. What I do care about is the complex
| browser fingerprinting that keeps track of (essentially) my
| entire browser history, externally, with everything from my
| google searches, youtube videos, online purchases and website
| visits being visible in some kind of giant aggregate form.
|
| Basically compare it to being videotaped when entering a store.
| Yeah sure, I might be a bit irked by the camera but I don't care
| too much. Comparing that to putting a camera on every street
| corner, and using facial recognition to generate a day by day
| pattern of all my visits to all stores the last 30 years, and I'm
| not a happy camper any more.
|
| I would even go as far as cookie banners for the above tracking
| scenario, where you are tracked completely, should be illegal.
| That kind of "consent" can't even be gained by just clicking a
| <button> on a website, it would require a valid ID and signature
| at least.
|
| And on the other hand, the "internal store videocamera" taping
| customers as they enter, perhaps even applying face recognition
| software to count unique visitors per year to the store, is
| hardly worth the hassle of a clicking a cookie banner personally.
| I'm certainly not averse to a position of not wanting to be
| tracked when entering a store or a webpage though, and if someone
| has a personal need to not be tracked like that, they should be
| able to apply basic non consent based tools to avoid being
| tracked. Like wearing sunglasses and a cap when entering the
| store, or browsing using a VPN.
| ratww wrote:
| The most important concept of GDPR is "Personal Identifiable
| Information", or PII:
| https://en.wikipedia.org/wiki/Personal_data
|
| You can collect statistics all you want if you anonymize data
| such as IP addresses. But you can't collect and store PII (or
| even aggregate data that can be used to identify a certain
| user, aka fingerprinting) without consent, or without having a
| legitimate reason.
|
| By legitimate reason I mean that you can freely collect
| information that is strictly necessary for performing tasks
| expected by customers. For example, you don't need explicit
| consent to collect a customer's address for delivering a
| package via Post. You can also have a cookie for login without
| requiring "cookie banner". However, you can't repurpose data
| you collected legitimately for other purposes, such as sending
| spam.
|
| (Please notice that legitimate reasons don't include anything
| marketing-related, spam, selling to third parties. "Legitimate
| interest" in GDPR means the legitimate interest of _the
| customer_ , not of the business)
|
| About fingerprinting, if it can be used to identify single
| users, it becomes PII. This means fingerprinting also falls
| into GDPR.
| jeroenhd wrote:
| Tracking visits to articles can be done entirely server side,
| no need for consent there as long as you just increment the
| counter by one. If you store PII to do it (IP address) you will
| need consent.
|
| You don't need consent to store the IP in your server logs
| because that serves an undeniable legitimate interest for
| detecting abuse and diagnosing issues. However, you cannot use
| that information to generate statistics without consent.
|
| As others said, gather as little as possible, for as short as
| possible, with a simple explanation and you should be golden.
| Lazy implementations (slapping Matomo on a server and calling
| it a day) do not comply with "as little as possible", and
| limitations in your tech stack ("we use cloudflare so we HAVE
| to use a cloudflare cookie") don't count either; it has to be
| as little as possible for the functionality to work, not for
| your developers to be comfortable.
|
| Consult a professional for legal advice, but most websites
| don't strictly need consent popups. The advertisers do, and the
| marketeers want as much info as possible as well, but on a
| technical level, there's no need for most reasonable use cases
| to have a consent form. It all comes down to the bad decisions
| the website owners make.
|
| I think it's disgusting that tracking has become the standard
| and opting out needs to be something special only some people
| can choose to do. Your comparison works for self-hosted
| monitoring (though I doubt a business that loudly proclaims, in
| text and audio so blind people can enter as well, that it
| tracks your ever move will get much business). However, most
| websites use third party trackers, so the comparison becomes
| closer to your own personal entourage if men in trenchcoats,
| following you around and occasionally writing _something_ about
| you down.
| nicbou wrote:
| Gather as little as you need, share it as little as you need,
| and keep it as long as you need to fulfil your customer's
| request. For anything else, get consent.
|
| Any kind of private information you store or share needs
| consent.
|
| This is why plausible.io doesn't require consent, but Google
| Analytics does.
| kybernetikos wrote:
| I'm not an expert but I have read the text. You should talk to
| an expert.
|
| Having said that my understanding is you don't need consent if
| the information processed is not personally identifying. The
| gdpr text is also quite clear that consent is just one of a
| number of legal bases for processing pii and there are a whole
| bunch of provisos for relying on it (which are still ignored on
| most sites)
|
| For your stats use case I think the best option would be to
| store and log anonymized stats that wouldn't be considered
| personally identifiable information. And then you shouldn't
| need a consent form.
| pornel wrote:
| Reminder that we've already had a spec for it. In the 90s! And it
| even has been implemented in the Internet Explorer:
| https://www.w3.org/P3P/ It did absolutely nothing for privacy.
| Google has been sending bogus P3P headers that broke IE's
| implementation and allowed all cookies.
|
| Adtech companies don't want users to have an easy opt-out. They
| didn't want P3P. They didn't want DNT. They will not want this
| new spec, unless the spec is so bad that most users will agree by
| accident.
|
| The annoying and confusing cookie banners are a feature. Besides
| making people agree through confusion or attrition, the banners
| are malicious compliance. Adtech companies putting them up want
| you to be pissed off at the banners. They want you to associate
| them with privacy, and conclude that privacy laws are pointless
| and should be repealed.
| nickpp wrote:
| Visit https://gdpr.eu or https://europa.eu/european-
| union/index_en "The Official website of the European Union".
| Look down. Both have cookie banner.
|
| The emperor is naked. The GDPR law is broken.
| [deleted]
| eastendguy wrote:
| "They want you to associate them with privacy, and conclude
| that privacy laws are pointless and should be repealed."
|
| Once in a while I read/learn something new at HN that changes
| my perspective on things. This sentence is such an example.
| patates wrote:
| I agree but I changed "pointless" with "hopeless" for a
| better effect on my end.
| bwindels wrote:
| As I understand it, the idea would be to make respecting these
| automatic signal mandatory in an update to the GDPR. See
| https://techcrunch.com/2021/06/14/europe-needs-to-back-brows...
| for some more context.
|
| Granted though that enforcement of the existing rules seems to
| be the biggest problem today.
| ComodoHacker wrote:
| And if a browser or extension abuses these signals (i.e.
| always sends them without user's explicit and informed
| consent), who is liable?
| majewsky wrote:
| Liable for what? GDPR says you can only collect data if you
| have informed consent from the user. It does not imply any
| right on the side of the business to be able to obtain such
| consent.
| dmitryminkovsky wrote:
| > The annoying and confusing cookie banners are a feature.
|
| Not just that, but I've never seen a cookie banner that does
| anything. Cookies get sent down with the page on the initial
| load. Whenever I've opened an inspector to see if cookies get
| unset by JavaScript in response to my "opting out," I've never
| seen an effect. The same cookies get sent after I opt out: no
| change. Has anyone seen a cookie preference banner that
| actually does something?
| simpss wrote:
| smaller, local(to me) sites have started to have cookie
| banners that have an effect. My bank, 1/3 of the bigger news
| sites here etc...
|
| They all started with a single "agree" button, then went to
| "agree/disagree" with no effect and are finally starting to
| come around to a functioning disagree button.
|
| GDPR also helps here, as it defined what identifies an
| individual and that made most of the tracking PII even when
| it's all merged by a random ID that stays with the user. The
| effect is slow, but it's starting to work.
|
| Hopefully the next step will be abandoning cookie banners and
| only using technically required cookies(don't need conset)
| and/or non-identifying tracking for aggregate results. This
| is a massive improvment on UX and actually gives the company
| more quality data that doesn't identify any single
| individual.
|
| I'm personally pushing for aggregated tracking in my current
| company. It's an uphill battle, but one that can be won I
| think.
| imiric wrote:
| > non-identifying tracking for aggregate results
|
| That sounds similar to FLoC, which is still very much
| identifying[1].
|
| The solution to user tracking isn't less identifying
| tracking. It's _no_ user tracking.
|
| [1]: https://blog.mozilla.org/en/mozilla/privacy-analysis-
| of-floc...
| Symbiote wrote:
| Look at well-funded government or other public websites.
|
| https://www.gov.uk/, https://www.nhs.uk/, https://europa.eu/,
| https://home.cern/, https://www.bundesregierung.de/ (maybe),
| https://www.dr.dk/ (maybe).
| worldsayshi wrote:
| Unless regulators force companies to respect automated
| protocols.
| sascha_sl wrote:
| This. You can see the impact of this on the new iOS tracking
| permissions. Most people want to opt out, but can't.
| Regulators stepping in would spell the end of large sections
| of the online advertising industry, so I doubt it'll happen.
| dividedbyzero wrote:
| > Most people want to opt out, but can't.
|
| Not following this too closely, I thought that's possible
| now, or at least as soon as the last few holdout apps get
| updated?
| Macha wrote:
| That's the point, by Apple taking control of the
| interface and preventing dark pattern bullshit, opt in
| rates are way lower on iOS than on websites.
| xbar wrote:
| Regulators in the US do not seem to be completely in the
| pockets of the online advertisers quite yet, given recent
| legislation proposals. Regulators in the EU, even less so.
| belorn wrote:
| The GDPR already explicitly forbids 95% of the cookie banners
| out there, but large companies decided to ignore it and
| simply face the fines if they in some hypothetical future
| will arrive. The rest of the industry followed.
|
| Until the law that defined _informed consent_ actually get
| enforced, a new law can not really fix it unless the
| regulators start to add the threat of jail time to repeat
| offenders.
| M2Ys4U wrote:
| Noyb - one of the organisations behind this proposal - have
| started contacting the operators of non-compliant
| websites,[0] as the first step in forcing them towards
| compliance.
|
| If they change their ways then good, if not Noyb has a much
| more solid case when making a complaint to the SAs and/or
| the courts.
|
| [0] https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-
| and-is...
| virgilp wrote:
| I mean, a good first step would be to start fining
| companies 2% of the revenue. Especially Google. And then
| maybe automate the GDPR fines, because it's definitely
| possible to identify that a site puts up a non-compliant
| banner.
|
| No need to add the threat of jail time, _especially_ if it
| isn't enforced.
| delfinom wrote:
| 2% of revenue while stalling the GDPR process and taking
| it to court for 10 years makes it only 0.2% ;)
| virgilp wrote:
| Even so, it would be 0.2% per EU country, right? Because
| the legislation is transposed into member states
| legislation. I doubt that anybody would really want to
| fight (& risk losing) in even 5 member states per year...
| vntok wrote:
| That would be 2% each year for ten years of infringement
| though, and very expensive lawyers to pay for at least
| that duration.
| nicoburns wrote:
| An standardised protocol approach might make enforcement
| easier. It would make it a lot more clear cut whether
| someone was infringing or not.
| Nextgrid wrote:
| Automated enforcement is already easy if there was
| willingness to do it. The majority of non-compliant
| cookie banners use a handful of libraries and/or third-
| party services such as TrustArc so detecting these with a
| web scraper is be trivial.
| [deleted]
| galgalesh wrote:
| > but large companies decided to ignore it and simply face
| the fines if they in some hypothetical future will arrive.
|
| This is not the case. The fines are up to 2% of annual
| global turnover. This scares companies.
|
| Moreover, some of the worst offending cookie banners are
| slowly being replaced by better ones as more and more
| organizations (such as noyb) file official complaints and
| companies get fined.
| anoncake wrote:
| It obviously doesn't scare them enough, even if it should
| in theory.
| krageon wrote:
| > This is not the case. The fines are up to 2% of annual
| global turnover. This scares companies.
|
| You are wrong. The initial fine is much, much lower and
| companies have so long to dabble in wilful ignorance that
| it is at the moment not something that has teeth.
| Companies are like bullies, they don't respect threats -
| only harm.
| JumpCrisscross wrote:
| > _initial fine is much, much lower and companies have so
| long to dabble in wilful ignorance_
|
| Another diluent: the maximum fine is practically the
| lesser of 2% and the NPV of business in that European
| country, or, expansively, in Europe. If you have little
| business in Europe, it's cheaper in some cases to simply
| close shop.
| labawi wrote:
| I'm pretty certain an actual fine (not ceasing
| operations) has a limit of max(10MEUR, 2% worldwide
| revenue of previous year) and double if you're
| antithetical to GDPR. Also, it's per infringement and
| isn't a yearly free pass to continue once you're fined.
|
| Companies are not doing much because enforcement is
| lacking, and in case you get caught, most fines are in
| the neighborhood of reasonable rather than instant
| liquidation.
|
| [0] https://noyb.eu/en/irish-dpc-handles-9993-gdpr-
| complaints-wi...
| 2T1Qka0rEiPr wrote:
| I thought this exactly. Kind of like US requiring pension
| plan options to be provided in a certain consistent layout
| etc., were this spec to be _demanded_ by e.g. the EU, then it
| could see a really positive shift
| pulse7 wrote:
| It is time for the governments to take control back and start
| regulating BigTech: you can not easily opt-out from any data
| gathering from Google, Microsoft, Apple, Facebook, ... If you
| try it and turn it off on mobile phone and desktop you will
| constantly have issues and be flooded with messages like
| "turn on location services", etc. Yesterday I learned that my
| private calendar on my phone was replicated to Google
| Calendar >>for many years<< without my knowledge, because the
| default setting was to save new events into Google Calendar
| and not a local phone calendar... and I was not asked during
| setup if I would like that (I have turned off all replication
| / data sharing / etc.)... this is just crazy... they are
| basiclly STEALING MY DATA and sending it to the cloud where
| it is processed without my knowledge... I hope they pay BIG
| MONEY for these GDPR breaches...
| II2II wrote:
| I doubt there is an easy fix in cases like Google Calendar
| due to consumer expectations. Simply put, there are certain
| types of data that many consumers expect to be
| synchronised, and those of us who have the opposite
| expectation (or only want certain data to be synchronised)
| are likely in the minority.
|
| This is somewhat different from most tracking done on the
| web, which is done for the exclusive benefit of those doing
| the tracking.
| sam345 wrote:
| How is this possible? Probably forgot you gave consent to
| Google calendar?
| ryukafalz wrote:
| Recent Android phones sync a ton of stuff automatically -
| which I suppose you agree to by signing in with a Google
| account, but that's also typically required. I know this
| because on the last two Android phones I purchased, a set
| of old outdated contacts from my Google account were
| automatically synced to the phone as soon as I logged in,
| which I was required to do to begin using the device.
|
| Believe me, I would have opted out of this had I been
| prompted to do so during setup.
| pulse7 wrote:
| Time to go away from GMail account...
| pulse7 wrote:
| I checked again exactly why this happened: Samsung
| Calendars app (which is a default calendar app on Samsung
| phones) has set a default calendar for my new events to
| my Google Calendar account. And if you just enter the
| event title and set the time (what one would usually do)
| - and leave all other settings untouched - then by
| default it will be added to your Google account which
| will then be synced to the cloud... You can change these
| settings (see [1]), but the default is wrong!
|
| [1] https://eu.community.samsung.com/t5/galaxy-s9-series/
| default...
| pulse7 wrote:
| Be sure that I didn't give any consent...
| roblabla wrote:
| The thing about this new spec is that it's compatible with the
| GDPR in a way that could make adopting this a legal
| requirement, given enough lobbying effort. It'd be a long
| battle, but I could foresee a future where regulators require
| adtech to implement this spec to obtain consent.
|
| That won't stop them from additionally using cookie banners,
| out of spite. But I suspect many websites that currently have
| cookie banners only have them because they believe it to be
| necessary, and it's hard to push back on it. If such a spec
| came to be recognized as a way to obtain consent by regulation,
| it'd make it easy to point its way, and at least end the
| madness of cookie banners on websites that don't need it.
| quotemstr wrote:
| But privacy laws _are_ pointless and _should_ be repealed.
|
| All this noise about cookie privacy, fingerprinting, FLoC,
| tracking, etc. --- what are the actual _harms_ that make these
| things bad? Has anyone in the real world ever experienced a
| concrete harm arising from interest targeting? Doubtful.
|
| The EU privacy regime imposes a heavy regulatory burden in
| exchange for nothing. Information is a non-rivalrous good.
| Further limiting its dissemination will increase friction all
| over the internet, impose new transaction costs on previously
| free interactions, and make the whole network less useful for
| everyone. And for what? Assuaging the paranoia of a tiny
| fragile and vocal minority of privacy activists? Sorry, but
| that's not worth breaking the internet.
| M2Ys4U wrote:
| Privacy is a _human right_ , and respecting it does not, in
| any way whatsoever, break the internet.
| wintermutestwin wrote:
| Specifically, Article 12 of the UDHR states:
|
| "No one shall be subjected to arbitrary interference with
| his privacy, family, home or correspondence, nor to attacks
| upon his honour and reputation. Everyone has the right to
| the protection of the law against such interference or
| attacks."
|
| https://en.wikipedia.org/wiki/Universal_Declaration_of_Huma
| n...
|
| Why isn't this Article at the forefront of any and all
| conversation re: privacy?
| M2Ys4U wrote:
| Additionally Article 8 of the European Convention on
| Human Rights[0]
|
| >Everyone has the right to respect for his private and
| family life, his home and his correspondence.
|
| >There shall be no interference by a public authority
| with the exercise of this right except such as is in
| accordance with the law and is necessary in a democratic
| society in the interests of national security, public
| safety or the economic well-being of the country, for the
| prevention of disorder or crime, for the protection of
| health or morals, or for the protection of the rights and
| freedoms of others."
|
| and Articles 7 and 8 of the Charter of Fundamental Rights
| of the European Union[1]
|
| >Everyone has the right to respect for his or her private
| and family life, home and communications.
|
| and
|
| >1. Everyone has the right to the protection of personal
| data concerning him or her.
|
| >2. Such data must be processed fairly for specified
| purposes and on the basis of the consent of the person
| concerned or some other legitimate basis laid down by
| law. Everyone has the right of access to data which has
| been collected concerning him or her, and the right to
| have it rectified.
|
| >3. Compliance with these rules shall be subject to
| control by an independent authority.
|
| Both of these documents are legally binding (the former
| on all member states of the Council of Europe,[2] and the
| latter on the EU and its member states)
|
| [0] https://en.wikisource.org/wiki/European_Convention_fo
| r_the_P...
|
| [1]
| https://www.europarl.europa.eu/charter/pdf/text_en.pdf
|
| [2] https://en.wikipedia.org/wiki/Council_of_Europe
| quotemstr wrote:
| Who defines what "privacy" means? You? Why? Can you point
| me to the place where the Universal Declaration of Human
| Rights talks about cookies and FLoC? The UCHR is not a
| blank check for banning anything you want in the name of
| "privacy".
|
| There are a lot of angry people in this thread stating
| _what_ they want, but none have offered an argument for
| why we should structure society around their whims.
| Sorry, but "you shouldn't be able to collect
| information" isn't an argument. It's a wish. Nobody is
| under any obligation to indulge the wishes of random
| strangers.
| duckmysick wrote:
| There's nothing in the Universal Declaration of Human
| Rights about privacy regarding medical records, but
| various jurisdictions agree that it's worth protecting.
|
| > Sorry, but "you shouldn't be able to collect
| information" isn't an argument.
|
| How about "private entities shouldn't be able to collect
| my information without my explicit consent".
|
| > It's a wish. Nobody is under any obligation to indulge
| the wishes of random strangers.
|
| Yours included.
| freediver wrote:
| > How about "private entities shouldn't be able to
| collect my information without my explicit consent".
|
| If the information is public, no consent is needed.
|
| Privacy is about trusting someone with private
| information and expecting they will not do anything with
| it that you would not approve of.
| quotemstr wrote:
| > How about "private entities shouldn't be able to
| collect my information without my explicit consent"
|
| Keeping a diary or a phone contact list would be
| forbidden under a strict reading of that rule. Even
| remembering the name of a person you met at a party would
| be forbidden unless you ask for explicit consent first.
| "Hey, Joe. Great to meet you. Mind if I make a mental
| note connecting your face to your name?" Real people
| don't think like this.
|
| We all have a natural freedom to record facts we perceive
| in the world around them. Taken to its logical
| conclusion, privacy advocacy is about mandatory
| forgetting. No, thanks.
| imiric wrote:
| The issue is not with individuals keeping track of
| relationships and their contact lists. It's with how that
| information is further used, shared and sold. I wouldn't
| be pleased if a friend whom I trusted with my contact
| information shared it with others without my consent, and
| I would be very displeased if it ended up on Facebook[1].
|
| PII is very valuable to advertisers (or to adtech as I
| recently learned[2]) as it allows them to target
| individuals based on interest. Beyond the fact that I
| don't enjoy being forced into complicitness to being
| manipulated into purchasing a product, I strongly object
| to having a profile in some mega-corp's database that has
| my personal information I didn't agree to share with
| them, for them to disect, analyze and sell in perpetuity,
| and to wonder how future advancements in adtech might use
| this data in less benign ways than today.
|
| At the very least, I would like a share of the profits
| they're making from me. Facebook and Google should be
| paying users to use their products, or everyone on the
| internet rather, but I don't think their shareholders
| would like that very much.
|
| [1]: https://www.businessinsider.com/facebook-
| uploaded-1-5-millio...
|
| [2]: https://news.ycombinator.com/item?id=27531714
| Santosh83 wrote:
| Information is power. The more information about more people
| with more depth to the graph is amassed by Big Tech and
| 3-letter agencies, the more soft power is accrued over large
| groups of people, economies, processes and even nations.
|
| And this ability is currently asymmetric. While Big Tech and
| Big Govt knows nearly everything about everybody, ordinary
| citizens are denied data and transparency. And even if the
| data may be hypothetically available, its scale precludes
| analysis by anyone except highly funded groups.
|
| Lack of privacy _does_ translate to enormous soft power. It
| doesn 't have to result in death, although the potential is
| there for that too. Democracy and individual liberty become
| meaningless except on paper.
|
| I'm not sure that's what we want, in exchange for a few
| conveniences in the palm of our hands.
| quotemstr wrote:
| > The more information about more people with more depth to
| the graph is amassed by Big Tech and 3-letter agencies, the
| more soft power is accrued over large groups of people,
| economies, processes and even nations.
|
| Is there any evidence that Big Tech and Big Government are
| _actually_ controlling people by tagging them in some
| database (which no human actually inspects) as being
| interested in hiking gear and cookie recipes? Give me a
| break.
|
| What you've described isn't a concrete harm, but an emotion
| --- specifically, fear. Lots of fears are baseless. So is
| this one. We shouldn't organize society around the baseless
| fears of tiny vocal minorities.
| antris wrote:
| Companies who track your information, including FAANG get
| regularly investigated and often fined for violating
| antitrust laws when they use the data they've gathered to
| limit or outright kill competition. I find it
| disingenuous to ask for evidence of some kind of vague
| "companies controlling people" when it's obvious that
| they do it on a larger scale all the time.
|
| No, companies do not mind control people on an individual
| level, but what they do has all the traditional effects
| of monopolies/oligopolies that are not democratically
| controlled by the people affected but a handful of rich
| executives.
|
| I'm not even going to go to the "advertising controls
| people" dialog tree. If it's not obvious why having the
| power of putting anything you want in front of billions
| of people is powerful, then I don't think there's a
| discussion worth having.
| quotemstr wrote:
| > it's not obvious why having the power of putting
| anything you want in front of billions of people is
| powerful, then I don't think there's a discussion worth
| having
|
| There it is. It's not about tracking per se. It's really
| about control over advertising and information
| dissemination more broadly.
|
| Motte: preserving user privacy by blocking cookies
|
| Bailey: let's tightly control who can put messages in
| front of the general public
| antris wrote:
| Is putting barriers into how huge multinational companies
| can exploit their data farming to cement an
| unchallengeable position in the market and kill off
| competition or dissent within the system "tight control
| into who can put messages in front of the general
| public"?
|
| You are framing this as if I am somehow advocating
| censorship towards people, yet I am advocating the
| opposite position. Executives shouldn't be given a such
| huge powers of data mining and information distribution
| and ability shut powerless opposition and competition
| out. This is about _preserving_ equal voice to all
| people, and preventing juggernauts from squashing it.
| handrous wrote:
| We call it stalking when an individual does it.
|
| It should be, flatly, illegal to collect that sort of
| data about people without a business _need_ to do so, and
| illegal to use it for _any_ other purpose, transfer it to
| any other entity without the same restrictions on its
| use, et c., when it 's needed (like: credit card
| companies and banks obviously need to know where & when
| you spend money, but they shouldn't be able to use those
| data for anything else _at all_ --no aggregating and re-
| selling to others, no mining spending trends for
| investment intelligence, no targeting ads at you based on
| it, none of that).
| cratermoon wrote:
| > what are the actual harms
|
| The kind of question can only be asked by someone who has
| never been abused by a domestic partner, never been on the
| wrong end of debt collectors, the law, disgruntled employees,
| doxxers, or other real and persistent threats that are
| enabled by the data collection and aggregation that is the
| foundation of interest targeting.
| quotemstr wrote:
| Do abusive domestic partners, debt collectors, random
| employees, or angry doxxers have access to targeted
| advertising interest data? The "harm" you're discussing is
| hypothetical and extremely unlikely. I'm asking for
| concrete examples.
| morelisp wrote:
| Debt collectors are huge data broker clients. (And
| sellers too - junk debt can go both ways on these
| markets.) Disgruntled employees leak a fair bit too.
| eli wrote:
| P3P wasn't great. It's pretty hard to reduce the nuance of how
| you're proposing to use data down to a handful of fields that
| will be automatically processed.
|
| I remember spending a silly amount of time trying to come up
| with a P3P policy that was both accurate and also didn't break
| sign-on for a single app that used multiple domains.
| morelisp wrote:
| > Adtech companies don't want users to have an easy opt-out.
| They didn't want P3P. They didn't want DNT. They will not want
| this new spec, unless the spec is so bad that most users will
| agree by accident.
|
| Reminder that Internet advertising has a lot of actors with
| competing interests, and it is not usually the "adtech
| companies" who don't want users to have an easy-opt out, but
| publishers and to a lesser extent the advertisers. Many "adtech
| companies" would love to have clearer legal signals and
| simpler, industry-wide justification to collect less data.
|
| Publishers have been very good at foisting all user frustration
| off on vague "adtech" (or alternately, adtech companies have
| been effective at reputation laundering for
| publishers/advertisers) but they're the ones that want to
| collect, share, and sell the data to be able to raise their
| rates.
| Ensorceled wrote:
| This is fundamentally misunderstanding how internet
| advertising works:
|
| advertises will pay higher CPM for precise targeting and
| attribution
|
| publishers want the best CPM they can get
|
| adtech uses as many tricks as possible to get as much
| information as possible about a user so they can maximize the
| CPM the advertiser will pay
|
| Publishers just end up doing what ever their adtech partners
| tell them will give them the best CPM.
| morelisp wrote:
| Haha, no. You're falling for the trick, or maybe you're
| just 10 years behind.
|
| Publishers (and retailers, and anyone with a dataset) seek
| out adtech partner companies, to justify high CPMs _and to
| sell their audience data_. Adtech companies are market-
| makers, it 's been years since the data they can get
| independently of supply-side partners was worth shit.
|
| The publisher is the one with the cookie warning and
| consent forms! The publisher is the one who wants you to
| log in with a stable ID! The publisher is the one with a
| model of you regardless of your ad or tracker blocker
| settings! The adtech companies will sell you downstream for
| sure, but the publishers are the ones deploying as many
| tricks as possible to gather data.
|
| And yeah, adtech companies will advise them about how to
| effectively gather data. That's a lot less about "tricks"
| and more about how to build salable taxonomies instead of
| data lakes full of garbage. To the extent it's about
| tricks, it's more often the adtech companies having to
| patiently but firmly explain, no, you _can 't_ just
| hardcode a single consent state for all visitors and send
| that to us in lieu of a real CMP. (A purely theoretical
| example, of course...)
| Ensorceled wrote:
| > Publishers (and retailers, and anyone with a dataset)
| seek out adtech partner companies, to justify high CPMs
| and to sell their audience data. Adtech companies are
| market-makers, it's been years since the data they can
| get independently of supply-side partners was worth shit.
|
| You're correct, for large publishers ... I guess we could
| almost say they are adtech companies now.
| mindslight wrote:
| IMO it's easier to just call them "surveillance
| companies" and be done with it. Regardless of whether
| they're collecting, storing, or processing surveillance
| data, they're all in the same business as Equifax,
| Google, Lexis-Nexis, and NSA.
| morelisp wrote:
| I don't think it's useful for analysis or activism to
| group Equifax, Google, the NSA, the New York Times,
| Humble Bundle, Twitter, Airbnb, Walgreens, etc. under a
| single term. The flattening of this mess down into
| "adtech" is how most of them have avoided scrutiny, and
| relabeling that "surveillance" doesn't make the
| relationships between them any clearer.
| mindslight wrote:
| Like all paradigms, it makes some things clearer and
| other things less clear. This one helps me keep my head
| straight about easy to ignore aspects of my relationship
| with the ones that would otherwise appear as being tamer,
| especially for instance Google.
|
| The ones that seem out of place on your list are because
| their main business is something other than surveillance.
| Saying that Walgreens "patronizes the surveillance
| industry" does make more sense than labeling the whole
| company as doing that one thing. Although labeling the
| marketing group requesting all the trackers be added to
| their website as the "surveillance department" makes
| sense.
|
| I think "surveillance" is a much better term than "ad"
| because the latter seems like just some harmless
| annoyance in line with American business values, whereas
| the former more accurately captures that the systems
| these companies are building are offenses against freedom
| and humanity.
| canadianfella wrote:
| "The Internet Explorer"
| Placido wrote:
| Just use Super Agent. You choose your preferences once and
| that's it. And once iOS 15 is out, it will be available in
| mobile.
| freediver wrote:
| What is Super Agent?
| denton-scratch wrote:
| "the banners are malicious compliance."
|
| I agree. But I don't think it's because adtech want you to
| think privacy is shit; I think it's because by compelling you
| to click, they can run Javascript in the context of a user
| gesture.
|
| I want a plugin that automatically says "OK" to cookie banners.
| My browser already blocks 3rd-party cookies. It only allows
| session cookies. Cookie banners are like fire-hydrant CAPTCHAs
| - they masssively increase the friction that web users have to
| deal with.
|
| They also legitimise other kinds of popup window that websites
| present. I've noticed more and more popups appearing on first
| visit to a site, inviting me to subscribe to a newsletter or
| whatever. You often see a cookie banner, followed by a
| newsletter popup, followed by a Google login popup. Who knows,
| maybe there's a traffic-lights CAPTCHA.
|
| Then finally you're into the site, and it turns out to be
| Washpo or NYT, and you can't read the article anyway, because
| it's paywalled.
|
| Can we have our open web back please, mister?
| ginko wrote:
| >I want a plugin that automatically says "OK" to cookie
| banners.
|
| Why would you want that? Even if you delete 3rd-party cookies
| that would still allow tracking companies to log your IP and
| track you through some other shady means which you've now
| consented to.
| denton-scratch wrote:
| Because it makes no difference to my assurance-level which
| button I click. There's no way of knowing what they do
| serverside with your form submission (and it nearly always
| is a form submission).
|
| Cookie approval has to be under the control of the user,
| not the website. So it has to be done by the browser or an
| extension. So if I have user-controlled cookie-approval, I
| might as well click "OK" on the form - the site might treat
| me better if I do.
| loloquwowndueo wrote:
| " I want a plugin that automatically says "OK" to cookie
| banners."
|
| Try "I don't care about cookies" :)
|
| https://www.i-dont-care-about-cookies.eu/
| joepie91_ wrote:
| A _much_ better option is Consent-o-Matic, which will
| _reject_ cookies for you automatically.
| bwindels wrote:
| Is this extension trustworthy? It is "recommended" and says
| GPL3 but there is no link to the source code anywhere.
| tcit wrote:
| The author doesn't publish the extension sources.
| https://reddit.com/comments/bru6wd/comment/eohtox3
| cratermoon wrote:
| I don't think that's _quite_ in compliance with GPL3, but
| I 'm not a lawyer. The bundled release artifact doesn't
| allow someone to build the extension, and I think GPL3
| takes that into account. If I have a Java program, I have
| the bytecode, and unless it's been run through and
| obfuscator, I can pretty easily recreate the Java code.
| But the GPL3 doesn't count that as compliant.
| grey_earthling wrote:
| Their argument is that the extension as it's distributed
| is essentially a zip file containing the source code.
| denton-scratch wrote:
| Thanks - I'm looking into that.
| mffap wrote:
| I would argue that times have changed. Sure, there's still
| misaligned interests between ad providers and users in terms of
| privacy. But I think the EU regulators found the right level of
| financial incentives to change some of the worst habits.
| sebastian_z wrote:
| The ad industry is not monolithic, though. Some people want to
| genuinely move on to less privacy-invasive business models;
| others not. I have been to industry conferences where the
| advice was "well, if you do not like the Do Not Sell link on
| your site, maybe it's time to stop selling and start changing
| your business model."
|
| What is different this time around compared to P3P, DNT, and
| other earlier mechanisms is that the times have changed.
| Privacy is a much bigger topic. There is much more reporting
| now about privacy. Users understand a bit better better
| (though, we are still far off from real transparency).
| Lawmakers and regulators are catching up. Many companies
| embrace privacy. There is a burgeoning privacy tech industry
| with quite a bit of venture funding.
|
| Also, lessons were learned from earlier efforts. CalOPPA
| required recipients of DNT signals to only _say_ whether they
| respect those. The CCPA regulations now require _actual_
| compliance. If the CCPA is applicable to your company, you have
| no choice but to respect it. And that is also true for
| automated browser signals. There is much stronger enforcement
| now behind more recent privacy laws. Virginia and Colorado
| recently enacted privacy laws, and it is likely that other
| states will do to.
|
| Disclosure: I am an academic researcher working with
| collaborators of all stripes on Global Privacy Control (GPC)
| [1, 2]. We are in touch with the good folks at ADPC and support
| their work. They are doing a fantastic job over there!
|
| [1] https://globalprivacycontrol.org/ [2]
| https://github.com/privacycg/proposals/issues/10
| unknown_error wrote:
| Thing is, how is regulation supposed to ever keep up with the
| rapid advancements of technology and advertising and the
| lobbies that come with all that revenue?
|
| Capital and technology need not respect sovereign borders and
| laws as long as they can keep one step ahead of enforcement
| and still get enough revenue. The laws and lawmakers are
| fundamentally slower and weaker and poorer; by the time CCPA
| et al have an actual deterrent effect (beyond just mandated
| privacy notices), the industry will have moved on to some
| more sinister loophole.
|
| It's an arms race that 1700s-style government simply cannot
| keep up with. It takes months to come up with new algorithmic
| loopholes, decades to change the law, one industry-friendly
| administration to undo all the progress.
|
| Offloading privacy to government only works when you have
| strong states (China, the E.U. maybe). In the US, what's left
| of the federal government is too crippled to effectively
| tackle this (and arguably any technological problem) at
| scale. State-specific laws are subject to the same
| constraints, and additionally face the problem of enforcement
| across borders and Commerce Clause issues. If anything this
| will be an arms race between adtech and adblocking; Congress
| is the kid in the corner crying, "But I wanna play too!" and
| pretty much shrugged off by everyone else.
| stonemetal12 wrote:
| Simple the law should be written in a technology agnostic
| way. Something along the lines o f"Services shall not track
| user behavior beyond what is necessary to render service,
| and user behavior shall not be sold to, shared with, or
| otherwise made useable by third parties without user
| consent" Then it doesn't matter what technology you come up
| with in the future it is covered.
| unknown_error wrote:
| That doesn't really work long term. "necessary to render
| service" might include advertising dollars. And who is a
| "third party"... If ad networks reorganize into a
| cooperative that offers services directly to publishers
| in the manner of AWS, are they still a third party? And
| user consent, what if it becomes a requirement to consent
| before you can access data, or opting out gives you
| diminished functionality...
|
| None of that is far fetched. Facebook, Google, Apple etc.
| all track and use first party data. If anything this just
| consolidates advertising power into the hands of an
| oligarchy that's already largely above antitrust law.
|
| The law is never simple, exhaustive, or agile when it
| comes to regulating technologies.
|
| GDPR has been the most successful of the bunch and all it
| really did was force a bunch of cookie notices and
| deletion processes. That still largely depends on people
| being lazily accepting advertising.
|
| Any proposed law that singlehandedly destroys ad tech is
| unlikely to either pass or stay relevant for more than a
| few months.
| dvfjsdhgfv wrote:
| > They want you to associate them with privacy, and conclude
| that privacy laws are pointless and should be repealed.
|
| This is a sentiment expressed surprisingly often even here on
| HN.
| MagnumOpus wrote:
| A huge proportion of posters either work at adware companies
| or are big time owners of adware stocks.
|
| And as the Sinclair adage goes, it is difficult to get a man
| to understand something when his salary depends on his not
| understanding it.
| orangecat wrote:
| By this reasoning, you must be a Google shill since the
| GDPR has been great for their market share:
| https://globaldatareview.com/competitionantitrust/study-
| gdpr...
| dvfjsdhgfv wrote:
| Well, just like many others I own - both directly and
| indirectly - some tech stocks, but it doesn't influence my
| view on privacy at all.
|
| Actually, the view that they have to either do unethical
| things like tracking or perish is one of the greatest
| fallacies and a sign of lazy thinking.
| kodablah wrote:
| I am completely outside of adtech influence and even I can
| recognize that the costs may outweight the benefits of the
| current state of government-attempted adtech regulation.
| Most arguing against these laws are either more libertarian
| wrt tech, or take umbrage with the specific nature and
| enforcement of the law.
|
| Almost everyone wants privacy limits, they just don't agree
| on the current measures (or their previous ones, or the
| ones before that, or doubling down on continued failed
| policy approaches in the future).
| jjk166 wrote:
| This is intellectually lazy. You can't just assume that the
| large numbers of people who hold a position you disagree
| with do so only because they have some secret bias. It's a
| position which is not falsifiable and which absolves
| oneself of having to think critically about their own
| position.
| rchaud wrote:
| One man's 'intellectually lazy' is another man's
| 'educated guess'. Or as this community loves to say about
| others, ""It is difficult to get a man to understand
| something, when his salary depends on his not
| understanding it."
|
| There are plenty of people online playing devil's
| advocate because one day they too could be rich and they
| don't want the harsh yoke of government regulation
| holding them back.
|
| On HN, part of the audience is in closer proximity to
| that kind of wealth, and their arguments in favour of
| that status quo reflect this.
| cratermoon wrote:
| I used to work in adtech. My position then, as now:
|
| 1. targeted ad buys are mostly a scam. Research shows that
| they are barely more effective than old-fashioned
| contextual ads.
|
| 2. Contextual ads, aka "dumb" ads, the kind that show ads
| based on the content they are displayed with, are fine.
|
| 3. adtech companies depend on advertisers not understanding
| (1) and publishers chasing dollars by signing up with ad
| targeting networks.
|
| The ones that are actually making money are the ad
| networks, and it is in their interest to spread FUD about
| (1) and not offer (2), as they make their money as a
| percentage of every ad sale (auction) transaction, and the
| CPM is higher on targeted ads because of ignorance of (1)
| leokennis wrote:
| This exactly. This is also why I never feel "ashamed" when
| sites ask me to please disable my ad blocker because when I
| block ads they'll go out of business. Or why I'll always
| decline even "user respecting" ads on sites.
|
| We're fighting the ad and tracking industry here, the internet
| equivalent of a gang member with a shiv and a length of pipe.
| I'm not going to fight nicely. I'll deny you any chance and any
| method I get.
| 411111111111111 wrote:
| Just a small reminder for people using Firefox and ublock
| origin: you can remove almost all cookie prompts by enabling
| the annoyances filters in the addon settings
| soperj wrote:
| I can't find that. Could you be more specific?
| Groxx wrote:
| "Filter Lists" settings-tab -> expand "Annoyances" ->
| Fanboy's is by far the most popular one. Otherwise read
| the pages they link to / view the content (many have
| descriptions in content) - many of them are intended to
| work with Fanboy's, but if not you may have excessive
| duplicates.
| soperj wrote:
| Thank you!
| equitablequal wrote:
| Anyone not using Firefox/Ublock; you can use NoScript to
| block the banners, and a lot of other adtech (including
| some paywalls such as Bloomberg) as they are all JS-
| powered.
|
| It's quite surprising to see how many JS plugins are in
| operation on a typical consumer site, and satisfying to
| know they were all blocked unless expressly permitted :)
| Arnavion wrote:
| Keep in mind, however, that you will end up enabling all
| the "Please enable Javascript to view our website (even
| though our website works well enough for your casual
| visit without it)" banners, that are enabled in the HTML
| by default and hidden by JS :)
|
| For example, one particular maroon-headwear-related Linux
| distro's bug tracker has a particularly egregious
| _blinking_ bright red banner, asking you to enable JS for
| the website to "function correctly", even though reading
| bugs on said tracker works fine without it.
| gnyman wrote:
| And if you don't want to or can't install noscript, you
| can use my little hack https://noscript.it/ to view a
| page without javascript.
|
| Note that it is a hack/poc and does not always work,
| especially the x-frame-detection is iffy so if you try it
| and just see a blank page try the "enable proxy"
| checkbox. I use it every now and then on iOS to get
| around some especially obnoxious JS, but if there were
| more users I would be more motivated to improve it (hint
| hint:-)
| AnIdiotOnTheNet wrote:
| I agree that we should not feel shame at blocking ads. I
| remember when the web was new and "pop-up blockers" became a
| thing. Ad companies and everyone using them have long ago
| burned any and all good will we might have had towards them
| and deserve nothing but our contempt.
| rchaud wrote:
| I remember IE6's so-called blocker failing to block a lot
| of popups. It wasn't until I discovered Firefox in 2004
| that I stopped seeing them.
| exporectomy wrote:
| Then Google came along promising no intrusive banner ads or
| popups. They would make their money from quieter
| personalized ads that knew what you wanted because they had
| more data about what you were doing. People loved the idea.
| It was going to save the internet from the horrible
| advertising industry.
| jraph wrote:
| Actually, I seem to remember that these ads were
| contextual at first, not related to any profile they
| would have built for you but only related to the content
| of the page.
|
| Which is entirely different. Ads are still manipulative
| (by design), but at least purely contextual ads don't
| track you.
| hoppla wrote:
| You might show me ads, but not track me, privacy badger stops
| you from doing that. But if your ads are trying to track me,
| then privacy badger stops that too.
| _nalply wrote:
| You are generous.
|
| However I don't want any content which could be distracting
| or plain unsafe for mental wellbeing. One example are the
| ads for violent games on BlueStacks when I was using the
| emulator for Android education software for my children.
|
| No thank you. Any content I can't control will be kicked.
|
| Either by using adblockers or by just not using the
| service.
| BitwiseFool wrote:
| Advertising is mental pollution.
|
| I dated a woman who experienced trauma in the past and
| she would routinely get horror movie trailers in YouTube.
| Even I found them disturbing. Neither of us had any
| interest in getting intrusive thoughts from watching
| assault and body horror. Putting in uBlock Origin did
| wonders for her well being.
| handrous wrote:
| I'm not likely to bother blocking first-party images or
| other content so-delivered. Odds are I won't be bothered
| enough by those to block them, or if I am I'm more likely
| to abandon the site than to start blocking that kind of ad
| on _every_ site.
|
| The problems are the tracking and the ad networks that
| kinda treat both the viewer _and_ their site-hosts as
| consumable resources, but that sites can 't realistically
| avoid if they want/need ad support, because that's where
| all the money is. Break the ad networks, break tracking
| (and I mean legally, in both cases--tech means for blocking
| are doomed, IMO) and ad money won't go away, it'll be
| redirected to less-awful ways of delivering ads.
| eli wrote:
| Unfortunately the ad blockers are not usually able to tell
| the difference between first-party ads and network ads. In
| practice both from an ad server.
|
| I think there's actually a great opportunity for someone to
| create an ad server that only serves first-party ads with
| no tracking.
| yoz-y wrote:
| The Deck was such a thing. It was sort of invite only
| because once you go first party you have no way to
| validate the user base so you need to trust the partner.
| For ads that result in direct sales this can be easy to
| do though.
| eli wrote:
| It was more of an ad network, no? Also I think it shut
| down.
|
| I'm talking about something even simpler than that. I
| have my own website and I have my own advertisers who
| want to put ads on it. I need a way to serve them and do
| contextual targeting (e.g. stories about a certain topic)
| and frequency capping and forecasting and the other sort
| of basic stuff I expect from Google Ad Manager.
| imiric wrote:
| The ad industry eventually ruins any medium it touches, and
| is responsible for spreading misinformation and propaganda
| that have killed millions.
|
| It ruined print when every other newspaper and magazine page
| had an ad mixed in with the content. Sure you could get the
| paper for free, but how much content are you actually
| reading?
|
| It ruined television when an hour-long show is interrupted
| several times to show 15 minutes of ads.
|
| And now it's ruining the web with the advent of ad tech and
| the brilliant minds that get paid millions to think of new
| ways of squeezing more value out of people's attention. Web
| sites are riddled with ads now even worse than in the popup
| days. I have to navigate a legal minefield of dark patterns
| to ask them to please _not_ track me or sell my data.
|
| These are just the ways it ruins content and user experience.
| What about the misinformation? The lies from the tobacco
| industry, the political ads that overturn democracies,
| astroturfing and embedded marketing...? The list of shady and
| downright evil practices is too long to mention.
|
| Advertising is a scourge on humanity. It needs to be strongly
| regulated and companies as influential as Google and Facebook
| need to switch to user respecting business models, for the
| sake of all of us.
| mrfusion wrote:
| Now they need one for all the newsletter sign up boxes.
| sam345 wrote:
| Regulations tend to become pretty stale pretty fast while tech
| moves on . Maybe users just need to pushback by picking browsers
| that respect privacy. We would do better by funding better
| privacy tech and educating consumers then chasing regulations
| that almost never get it right, bog down the user experience, and
| generally become a hassle to everyone involved.
| juloo wrote:
| Why do they still think we want tracking cookies ? The ad
| industry should prepare for a future with no tracking instead of
| trying to survive with ever shadier tricks, IMO.
|
| This won't work:
|
| - browsers other than Chrome will say "no tracking" by default,
| tracking companies won't like that
|
| - websites will ignore this, this will be known and people will
| be upset even more
|
| - more javascript when we want less
| titzer wrote:
| The ad industry has measured, and tracking means more revenue
| and more clicks. How much more? 2x. Not more. But 2x is 5 years
| of 15% "normal growth".
|
| They will absolutely not accept going back in time just 5 years
| in terms of revenue. They will fight to the death over every
| dollar.
| qwerty456127 wrote:
| > Why do they still think we want tracking cookies?
|
| Some people do. I would like to see relevant ads (of good
| special offers especially) if somebody could guarantee the ads
| are going to be humble and unintrusive), the goods advertised
| are of high quality and no-scam, the information they get from
| tracking can not be seen by any 3rd party (including legal
| authorities) and used for any purpose other than good
| recommendations under any circumstances ever.
|
| When I just finished school I didn't mind cookies (and actually
| hoped ads relevance was going to increase and increase) because
| I didn't think about the dangers which come with them.
|
| There are people who still believe they have nothing to hide
| and don't mind relevant offers.
| permo-w wrote:
| I'm sure you're right that a small minority doesn't mind
| being tracked and provided personalised ads, but there are
| other problems too. Advertising brings poor incentives for
| businesses, even worse than usual. Engagement is king, and
| product satisfaction is hardly relevant
| fmajid wrote:
| We know how small: 4% clicked to opt-in to IDFA tracking in
| iOS 14. And I suspect a large number of those are people
| who got confused and clicked on the wrong button.
| permo-w wrote:
| that's assuming iOS users are representative of the
| general public
| presentation wrote:
| They don't think we want tracking cookies - it just doesn't
| matter what you want with all the incentives to track.
| mikro2nd wrote:
| They _do_ think that we want personalised ads, though, and
| tracking cookies are just the tech-at-hand that is the least-
| cost way to do that.
| godshatter wrote:
| Do we want personalized ads, though? I don't, but I suspect
| I'm in a small minority. If I want to purchase something,
| I'll go do some research. I specifically don't want ads
| that are designed to try to get me to purchase something I
| don't need based on some manipulative psychological model
| based on my browsing behavior.
|
| A quick search makes it apparent to me that most people do
| want personalized ads, or at least think they do, while at
| the same time most people don't want the behind-the-scenes
| tech that makes it possible.
| presentation wrote:
| I think it also doesn't really matter if we want or don't
| want them - if people are more likely to click on
| personalized ads (I'd be surprised if they aren't) then
| they'll do it anyway. Just so happens it sounds appealing
| to some.
| yoavm wrote:
| The proposal includes no JS at all, and will probably reduce
| the amount of JS because it replaces current cookie consent
| modals and banners.
| yakubin wrote:
| It includes JS. See section "8. JavaScript-based
| interaction". I guess the idea is that just as you can
| control cookies both via HTTP headers and JS, you will be
| able to request consent both via HTTP headers and JS.
| yoavm wrote:
| My mistake. It does have an option to use JS, though it's
| not a requirement and it's no-JS by default.
| enriquto wrote:
| > more javascript when we want less
|
| notice that if you disable javascript by default most cookie
| banners disappear and everything becomes better. Then you can
| enable it per-site if you need something in particular.
| MarcellusDrum wrote:
| I tried that for a month, but most sites I encountered on
| search engines will just break or even refuse to render
| unless I enable JS. At first, I tried to leave the site and
| find an alternative, but after a while I found myself
| enabling JS on every site I visit that requires it, which
| negates the whole point.
| zeepzeep wrote:
| You should check out uMatrix to get even more fine grained
| control over sites.
|
| I usually allow images on every page, that's it. Some need
| CSS, some need iframes, and a small subset of websites I
| visit are actual webapps that need javascript.
| dmm wrote:
| I love uMatrix but development on it has stopped so it
| won't receive bug fixes and it will probably stop working
| someday. I don't think I would recommend new users start
| using it.
|
| https://github.com/gorhill/uMatrix
| https://news.ycombinator.com/item?id=24532973
| zeepzeep wrote:
| Yes true, but it's still working mostly and I don't have
| a real alternative.
|
| I want to switch to uBlock's Advanced mode which seems to
| do similar things, but I haven't yet.
| jeofken wrote:
| When working in that industry, the cope is thinking people are
| ok with it, because it's the "price" of free web content, and
| consumers are choosing it over anything with a paywall.
|
| I hope free software micropayments payperview can be part of
| the web! Maybe with GNU Taler or Offset by Freedomlayer[0]
|
| [0] https://www.offsetcredit.org/
| permo-w wrote:
| I agree. Wouldn't we all love to go back to the old old
| internet, where people did things a) because they wanted to,
| or b) because you paid them to. Both of these things make
| sense and are how the world has worked for a long, long time.
| This vague, nebulous money from ads and tracking has all the
| wrong incentives. It's not "make the best hammer" anymore,
| it's "make an addictive hammer that you'll never want to
| leave your hand". TV has and had the same problem to a
| smaller extent, and sports are infected with it too
|
| I honestly think there's a good case to be made for banning
| advertising entirely, and replacing it with a societal
| stipend for art and media, or at least restricting it to
| specific places. The back of newspapers, for example.
|
| I'm sure there are plenty of problems with and arguments
| against the idea, but it's definitely worth discussing
| deepstack wrote:
| Instead of blocking cookies, work on more stuff that will block
| finger printing such as stuff that is mentioned in
| https://www.nothingprivate.ml
|
| One spec could be split up the JS api into stuff that manipulate
| the dom and stuff that access GPU and other hardwares that may
| identify the browser or machine. Safari seems to be the only one
| that is doing anything in that area.
| SahAssar wrote:
| That site loads third party JS from cloudflare and sentry.
| Seems like the privacy message would be clearer if they didn't.
| mrweasel wrote:
| Cookies are used for things other than tracking, so maybe not
| obsolete, just irrelevant for tracking usage.
|
| I didn't read the entire spec, maybe there's stuff that replaced
| cookies in there.
| roblabla wrote:
| Cookie banners are only necessary for tracking. The idea here
| isn't to obsolete cookies, just the banners, as the spec
| proposes a way to gather user consent through the user agent
| instead of a cookie banner.
| _boffin_ wrote:
| Been thinking of making a chrome/firefox extension that will
| detect those cookie notifications and automatically nope out of
| them all for you and submit, but been too lazy to implement.
| contriban wrote:
| It's called "I don't care about cookies" but I think it accepts
| all of them.
| 7952 wrote:
| I wonder how effective and blockers are on their own. I don't
| mind consenting when I know that the third party trackers will
| never load anyway.
| qwerty456127 wrote:
| > The mechanism serves as an automated means for users to give or
| refuse consent
|
| There already is the do-not-track flag, why not just force
| everybody to respect it?
| M2Ys4U wrote:
| There are a couple of reasons.
|
| DNT is primarily about _tracking_ , this new spec is more
| general and covers much more processing of personal data, and
| allows one to opt-in (or out) of specific instances of
| processing of specific (categories) of data.
| sandstrom wrote:
| The thing with ideas like this is that it'll all boil down to one
| thing: opt-in or opt-out.
|
| If it's opt-in, hidden inside browsers settings, effectively no-
| one will use it (e.g. current cookie blocking settings).
|
| If it's opt-out everyone will use it (see e.g. Apple's recent
| "This app is asking to track you across the internet, do you want
| to allow it?".
|
| Question is, why make it complicated with a spec like this.
| Better to just agree to block all cookies, or to allow cookies.
| ketzu wrote:
| > Better to just agree to block all cookies, or to allow
| cookies.
|
| But I want some cookies and some I do not. Also I don't want
| non-cookie based tracking either. Having a binary choice for a
| subcategory is not very helpful to me.
| 1_player wrote:
| If it's opt-in, it's another bit of information to uniquely
| identify you (like Do-Not-Track is today.)
|
| If it's opt-out and everyone will use it, ad companies will
| completely ignore this spec and keep tracking you.
|
| The Internet is entirely in the hands of an advertising
| company. 90% of Internet users use Chrome and/or Android? Add
| Google Search and it's probably like 98%. Good luck with
| changing the status quo.
| butz wrote:
| A bit too late, but still great for users and for developers. Not
| so much for cookie banner services, but that's their own fault
| for providing cookie banners that cover half or more of screen,
| have confusing selections or none at all and uses dark patterns
| to push visitor to "Accept All" cookies. And browsers should ask
| user for default preference only once, to prevent bothering with
| useless notifications from each website.
| dariosalvi78 wrote:
| now that's something sensible!
| lizardmancan wrote:
| conmunication with the mothership should be clearly defined
| slownews45 wrote:
| I just want ONE option - ACCEPT ALL COOKIES.
|
| Seriuosly, I reserve the right to expire, delete, manage and
| otherwise deal with cookies on my device myself.
|
| Can anyone create a different standard with ONE flag - ACCEPT ALL
| COOKIES - SHOW NO BANNERS*
|
| *User reserves right to delete, purge, modify, expire etc cookies
| on their device.
|
| That's what I want.
| durnygbur wrote:
| Tinder, Google, Amazon, Twitter, Facebook and other plaftorms can
| reliably ban an account without knowing the name, surname,
| birthdate. Just from the broad fingerprint of the device, email,
| phone number, Wifi SSIDs, location, and other data they collect.
| Yet they are showing the cookie and "privacy" splashscreens and
| popups on every visit. Every. Freaking. Time. Google with Youtube
| in particular. Isn't it malicious compliance?
| hnarn wrote:
| The most frustrating thing about these cookie banners (more like
| cookie lightboxes) is that almost none of them are compliant with
| the rules. Unfortunately I don't have time to find the source
| right now, but I'm pretty sure I've read official EU guidance
| docs clearly stating that many "dark patterns" are simply
| illegal. For example making the "Accept all cookies" button
| require less effort than only accepting necessary cookies, which
| almost every page does.
|
| I feel like the current state of cookie consent is completely
| broken, partly due to the complete lack of enforcement, and
| having a browser-specific setting that propagates to all pages
| would be great -- but again you have to think about incentives.
| If pages are not required to accept these settings, their
| incentive is to ignore them and to claim that since it's
| unfortunately not supported "yet" (read "ever"), you still have
| to wade through the cookie form.
| jakub_g wrote:
| At least in France, there's CNIL (Commission Nationale de
| l'Informatique et des Libertes) that started going after the
| top non-compliant websites and sending love letters like "you
| have N days to become compliant".
|
| [1] https://www.cnil.fr/en/home
| quotemstr wrote:
| And then Europeans complain when the rest of the world
| geoblocks them.
| galgalesh wrote:
| Where are these fictional Europeans who want strong
| enforcement of privacy laws and complain about geoblocking?
|
| The whole point is that either you follow our laws or you
| lose access to Europe. Geoblocking is just self-regulation.
| datenarsch wrote:
| Here's one. I hate it how I can no longer access 90% of
| local US news websites.
| hnarn wrote:
| Every single time I've had this problem I've just used
| the Google cache or archive.org
| anoncake wrote:
| No, we politely inform you that geoblocking is not actually
| required. But thanks for protecting us from your privacy-
| violating website anyway.
| samjmck wrote:
| No one's complaining about not being able to access shitty
| websites that can't be arsed to make clear which companies
| are tracking you.
| 7952 wrote:
| I have been building some sites where I have explicitly tried
| to remove or avoid cookies completely. It is really tricky as
| any third party script or embed can set cookies, which may be
| retained depending on browser version. We end up using generic
| cookie prompts just in case to appease corporate compliance
| even when nothing is usually set on the page. And the http
| nature of cookies make automating things much more difficult.
| You can't just drop in some javascript that overrides
| document.cookie, and even if you could it would not be
| supported by all browsers.
|
| What I would like is to be able to whitelist domains in content
| security policy and reject everything else by default.
| [deleted]
| Dayshine wrote:
| Why avoid cookies entirely? You don't need a cookie banner
| for cookies essential to the functioning of your site.
| akie wrote:
| You want to avoid cookies entirely so that you don't need a
| cookie policy and that you don't need a cookie banner.
|
| It's also significantly easier to convince a lawyer that
| you don't need these things if you can prove that there are
| no cookies whatsoever. And even then they'll be suspicious.
|
| It's harder than it looks, just embedding a YouTube video
| for example already sets third-party cookies. Same with
| embedding a Twitter feed or Google Analytics. There are
| solutions for all of these things, but the standard/easy
| way of doing these things means your user gets a third-
| party cookie, which means you need the banner.
| hnarn wrote:
| > You want to avoid cookies entirely so that you don't
| need a cookie policy and that you don't need a cookie
| banner.
|
| Wrong. Functional cookies are exempt.
| akie wrote:
| Of course I know that, but did you ever talk to someone
| who is not in technology but _does_ have a say in
| determining what "we" need to do to cover "our" asses?
|
| Say, a lawyer with the responsibility that all of our
| websites implement all of the relevant regulations?
|
| You would think that they are up to date on what
| regulations you need to follow, but you'd be surprised.
| Many take a blanket "no risks under any circumstances"
| approach. These types can only be placated with the "we
| don't have any cookies at all" argument. And even then
| only barely.
| nickpp wrote:
| What are "functional cookies"? Are analytics/telemetries
| cookies functional? Are cookies identifying google users
| so they can receive targeted content but also ads
| "functional"?
|
| GDPR never bothered to specify. This is why GDPR is
| broken and sadly it broke the web.
| hnarn wrote:
| Have you tried finding the answer to your question
| online? There are clear examples of what "functional
| cookies" mean, even straight from the EU.
| nickpp wrote:
| There are many opinions online, but there is no
| authoritative, definitive answer. GDPR was made vague by
| design "to prevent future exploits". Even lawyers are
| arguing the details, three years after its introduction.
|
| This made GDPR in effect one of the most expensive
| regulations we had to implement as IT companies. It is
| also so incredibly punitive that everybody choose to
| implement it in the most conservative way possible, at
| the expense of the UX. Thus the cookie popups and
| banners.
| M2Ys4U wrote:
| The GDPR doesn't even mention cookies.
|
| It's the ePrivacy Directive that regulates them (or, more
| precisely, "information stored in the terminal equipment
| of a subscriber").
|
| And the ePrivacy Directive _does_ , in fact, define
| what's allowed without notifying the user:
|
| "any technical storage or access for the sole purpose of
| carrying out or facilitating the transmission of a
| communication over an electronic communications network,
| or as strictly necessary in order to provide an
| information society service explicitly requested by the
| subscriber or user."
| nickpp wrote:
| This kind of vague, high-level language is exactly why,
| if you reject cookies, you'll receive the same damn popup
| next time you visit the website until you relent and
| click Yes.
|
| They never tried applying their abstract concepts to the
| real world until we had to and the result is "The Web of
| Cookie Popups".
| jka wrote:
| You have a point, but at the other end of the spectrum,
| writing precise legal terms can cause problems as well.
|
| If the terms refer specifically to "cookies" and
| "browsers", it'd be entirely possible that the
| advertising industry and other players would simply
| change their own wording to evade the law.
|
| An effective legal claim might be able to find out about
| and catch up with those kind of tricks; but it'd be
| partly a game of time, and simply by delaying legal
| challenges while their operations continue, the ad
| industry would have achieved their goals.
| hnarn wrote:
| Instead of ranting and providing nothing but conjecture
| about how "expensive" GDPR is (whatever that means), or
| insinuating that lawyers "arguing" about something proves
| that legislation is ineffective (that's literally their
| job), refer to first hand sources and ask constructive
| questions in good faith about what you don't understand.
| Here's one example: https://gdpr.eu/cookies/
|
| Both first party session cookies and "shopping cart"
| cookies are mentioned as explicit examples of cookies
| that do not require prior consent and are unlikely to
| cause any concern.
| nickpp wrote:
| Then why does the very gdpr.eu website have a cookie
| banner at the bottom of the page?! There is clearly no
| session or shopping cart going on.
| SiempreViernes wrote:
| Uh, are you asking why a site with that doesn't use
| cookies in a purely functional manner has a cookie
| banner?
|
| In any case, it's the usual reason: they have google
| tracking, and it seems like they embed content from other
| sides the easy way. You too can learn the answer to the
| mystery of why there is a consent banner by clicking the
| "Privacy policy" button, this one actually explains it
| clearly, like it was supposed to be a model example or
| something.
| lmkg wrote:
| Please do not use that website. It _presents itself_ as
| an authoritative resource, but it is not actually an
| authoritative resource. Nor, frankly, even a very good
| one.
|
| Actual first party resource: https://ico.org.uk/for-
| organisations/guide-to-pecr/guidance-...
|
| ICO is literally the agency that issues fines for GDPR
| violations in the UK. They have a lot of explicit
| guidance about what's OK and what's not.
|
| More detailed guidance on the "strictly necessary"
| exemption: https://ico.org.uk/for-organisations/guide-to-
| pecr/guidance-...
| Ensorceled wrote:
| The statement isn't "Wrong.", it's just overly strict.
| 7952 wrote:
| These particular sites didn't need essential cookies and
| discussion about privacy/cookies was taking lots of time
| for no real benefit.
|
| Also, I believe philosophically in trying to reduce things
| like analytics and tracking.
| tgv wrote:
| Still, the boss said: "add a banner anyway." Better safe
| than sorry, and everyone expects it by now.
| TX0098812 wrote:
| Yup, this is absolutely the case. Consent in order to count as
| consent has to be clearly affirmative, freely given, specific,
| informed, unambiguous and can be withdrawn.
|
| https://gdpr-info.eu/art-7-gdpr/
| lrem wrote:
| Max Schrems now has a foundation you can donate to:
| https://noyb.eu/en
| GrayShade wrote:
| > For example making the "Accept all cookies" button require
| less effort than only accepting necessary cookies, which almost
| every page does.
|
| Like those that make you uncheck 10 or 20 entries one by one.
| mtgx wrote:
| Or hundreds/thousands like Verizon Media/Oath & friends.
| tempodox wrote:
| Those are the worst. And calling them "legitimate interest"
| only adds insult to injury.
| Macha wrote:
| Also the providers that appear to offer a even choice of
| accept all/reject all, except you realise that they've
| classified a second "legitimate interest" option for
| everything which the reject all doesn't cover (because that
| would be objecting, not rejecting)
| blowfish721 wrote:
| The best ones are the ones that provide a list to 100
| partners and ask you to visit them to opt out. Usually just
| close the tab when I hit one of those.
| StavrosK wrote:
| Or like those that make the "Accept all cookies" button green
| and the "accept necessary" white/colorless/default.
| squiggleblaz wrote:
| I recently came across a website that makes the "Accept all
| cookies" button secondary and the the "accept necessary"
| primary. It's such an effort to actually press the primary
| button -- I have been so trained by the completely
| disdainful behavior of the majority of websites.
| StavrosK wrote:
| I saw the exact same thing and was surprised too! I
| wonder if it was a site that was on HN...
|
| I press "accept all" by accident and thought "wow".
| Sander_Marechal wrote:
| It's EU, it varies by country. Each country takes the European
| GRPR law/guidelines and implements in on the national level.
| There may be slight differences. Your specific example where
| opting out must not cost more effort than opting in is specific
| to the UK GDPR implementation for instance.
| rikroots wrote:
| No. The GDPR is an EU Regulation which is, by definition, a
| binding legislative act. It applies in its entirety across
| the EU - no exceptions, no opt-outs. EU Member States are
| allowed to interpret (to a greater or lesser degree) EU
| Directives when they translate them into national law[1]
|
| The EU GDPR no longer applies in the UK because the UK is no
| longer a member of the EU. The EU GDPR has been incorporated
| into UK law (as the UK GDPR) but there's nothing preventing
| the UK Government varying it at any point in the future[2]
|
| [1] - https://europa.eu/european-union/law/legal-acts_en
|
| [2] - https://ico.org.uk/for-organisations/dp-at-the-end-of-
| the-tr...
| TX0098812 wrote:
| 'A "directive" is a legislative act that sets out a goal
| that all EU countries must achieve. However, it is up to
| the individual countries to devise their own laws on how to
| reach these goals.'
| rikroots wrote:
| > A "directive" is a legislative act that sets out ...
|
| Maybe my wording was a bit vague. How about: "The GDPR is
| an EU Regulation which is, by definition, a binding
| legislative act which applies in its entirety across the
| EU without the need for Member States to pass any further
| national legislation. This is different to EU Directives,
| which EU Member Sates will implement by translating them
| into their own national law - which in turn does give
| Member States room to 'interpret' the Directive's
| requirements - subject to legal challenge in the Court of
| Justice of the European Union"
| anoncake wrote:
| And the GDPR is not a directive.
| lmkg wrote:
| But cookie banners must also adhere to the ePrivacy
| Directive, which _is_ a directive (as the name implies).
| hnarn wrote:
| The point is that it's not being enforced, so if we assume
| what you say is true for the sake of argument, then the only
| way that would be OK was if a different cookie banner was
| shown for visitors from the UK, which I highly doubt happens
| in any meaningful percent of cases.
| kamray23 wrote:
| But they pretend to be legal. They at least make an attempt to
| seem kind of legal. And that's what matters.
|
| If you only accept a spec like this there is no way to pretend
| to be legal other than to accept it anymore. Make custom cookie
| banners totally illegal. Force the use of this. No dark
| patterns, no semi-legal trickery. Either you use it and accept
| it, or you don't. Take out the grey area.
| hnarn wrote:
| That's my point: that if you create a standard like this but
| don't _enforce_ it (which is not the same thing as its
| legality) it won 't matter. What is the consequence going to
| be of ignoring it? Will it be enough to actually create an
| incentive more attractive than breaking the law?
| oftenwrong wrote:
| Instead of permitting sites to request consent of the user
| directly, they should be required to request consent via an
| official EU site. It could work like an authorisation redirect
| flow. This would standardise the consent UI, and prevent sites
| from implementing dark patterns.
| akie wrote:
| Then the EU tracks everything everyone does. Nice.
| oftenwrong wrote:
| The site could provide an opaque ID for user. Also, anti-
| tracking on the part of the EU could be enforced by law.
| kiallmacinnes wrote:
| Ignoring the many obvious privacy issues with this
| proposal, have you considered how this would result in a
| legally mandated single point of failure for (nearly..)
| all web sites?
| tomjen3 wrote:
| Better yet, a standard browser interface.
| hnarn wrote:
| This is an awful idea.
| hibernator149 wrote:
| I wonder if this fight over cookies is just a diversion. If we
| ever get an effective law or tech for cookies, won't the
| advertisers just shrug and switch to browser fingerprinting? I
| feel like the only solution is to educate users about AdBlockers
| and stuff like NoScript.
| ratww wrote:
| GDPR actually applies to any kind of tracking, it's not just
| cookies. You also need consent do fingerprinting that can
| identify individual users, for example.
| kissgyorgy wrote:
| I understand that standards like these take years to make, but
| this should have been in the browsers for a loooong time at this
| point instead of every website implementing them differently.
| maxwellito wrote:
| Do you remember 'doNotTrack' ?
| timvisee wrote:
| Data collection is the problem. It is insane to me that we're now
| resorting to these kinds of 'solutions'.
| qwertox wrote:
| I would rather have a cookie-based approach where the opt-in
| dialog is clearly laid out via regulation.
|
| At the top of the dialog a "decline"-button and to the right of
| it an "accept"-button. These buttons toggle all the toggles of
| the providers listed below those two buttons. You can then
| manually override each of the listed providers, which may be also
| grouped by purpose in order to ease selection. No nested dialogs
| are allowed.
|
| Upon declination, one single cookie must get set, with a specific
| name, ie 'consent-acknowledge-status', with an expiry date of at
| least one week, where the consent selection is stored, so that it
| can be respected in future visits.
| peterhil wrote:
| Finally!
|
| Why on earth this was not implemented in the first place on web
| browsers?
| technicalya wrote:
| No a comment its a question. Do you use ad-blockers?
| zeepzeep wrote:
| I use uBlock Origin with "Easy List Cookies" which blocks most
| cookie banners
| peterhil wrote:
| Thank you! The cookie consent banners are especially pointless
| when you are not keeping the cookies anyway.
| [deleted]
| Aeolun wrote:
| I read a lot of negative things here, but I like this spec.
|
| We (as a profession) shpuld try to eliminate cookie banners,
| while still allowing users to opt out.
| pacman2 wrote:
| I use the I don't care about cookies Plug-in. My browser forgets
| all the cookies when closed. Besides several privacy plug-ins, I
| the the temporary container plug-in.
|
| Problem solved.
| vincentmarle wrote:
| All this does is move the cookie banner from the website to the
| browser which still means I have to click approve every time I
| visit a new website. What I _really_ would like to do is to get
| rid of these annoying cookie banners entirely and have something
| auto opt-in for me so I can get back to a decent web browsing
| experience a la pre-2017...
| presentation wrote:
| Would be cool if you can set a default policy in the browser.
| diogominhava wrote:
| This is exactly what we're trying to do at Super Agent - check
| it out https://www.super-agent.com. Choose your preferences
| once and our extension will automate opt-in/opt-out where
| possible :)
| bennyp101 wrote:
| Off Topic: Your logo is blurred unless I allow scripts from
| static.parastorage.com ... that seems a weird thing.
| diogominhava wrote:
| Thanks for letting me know! Looking into it - we've used
| Wix to build our landing page, I believe this URL may be
| from a CDN they use to speed up content delivery.
| Macha wrote:
| I think the only "safe" auto complete it could provide with
| this spec is reject all. Otherwise it could just save a list of
| consents with unique IDs and look at your rejection list for
| another fingerprinting avenue.
| gmueckl wrote:
| I don't see how this will be adopted without backing by legal
| threats. Even if this gets implemented on a voluntary basis, you
| need a fallback for browsers that don't support it. And if you
| need to have a version of the prompt with a user experience that
| isn't controlled by the browser, you might just as well use it to
| keep pushing the same dark patterns to everyone. Am I missing
| something?
| mkreis wrote:
| I agree. Why would anyone who wants to track users implement
| this standard and abandon their dark patterns?
| JCWasmx86 wrote:
| It would have to be enforced by legislation (As opposed to
| the dark patterns with cookie banners). If any company
| doesn't implement this fully compliant with the spec, fine
| them every year with 2-25% of the yearly revenue.
| amelius wrote:
| Because governments will slap them on the wrist real hard if
| they don't.
| vbezhenar wrote:
| Cookie banners works because they're everywhere and user has
| been trained to dismiss them as soon as possible. If this
| technology would get traction from major players, cookie
| banners will become an exception rather than norm. It means
| that users will be scared of those banners and might prefer to
| leave the website which will hurt the conversion.
|
| If this movement is not backed by major web players, probably
| nothing will happen.
| switch007 wrote:
| > Cookie banners works because they're everywhere and user
| has been trained to dismiss them as soon as possible.
|
| All my friends and family just click the CTA, "accept", "I'm
| OK with that", "Mmm cookies yummy!"
| thepangolino wrote:
| Don't browsers already have a feature to block cookies?
| PeterisP wrote:
| The "cookie banners" are not really about cookies but about all
| kinds of tracking and consent issues that are not eliminated by
| blocking cookies.
| ratww wrote:
| The idea here is not blocking cookies, which are very useful,
| but rather to bypass the annoying "cookie banners".
|
| Just as with Consent Banners, the website is still responsible
| for honouring your choices and not tracking you, either via
| Cookies or any other method.
| mgkimsal wrote:
| in the 90s, we had a 'big cookie' scare. and laws were threatened
| (or passed?). And... MUCH of this came down to ... managing
| cookies (or other browser state) was (and is) largely so damn
| hidden behind layers of configs, menus and options.
|
| We have a home button. We have forward and back. We have
| 'bookmark' buttons, which many people understand. A big 'COOKIE'
| button, on the main browser UI, that clearly show cookie info,
| with a big "GET RID OF ALL COOKIES" trashcan button right
| there.... that would have prevented 90+% of the scare and
| legislation efforts from the start.
|
| I looked for "clear my cookies" - in 2021, it's still click '3
| dots' or something else, then click something, then click
| something, then confirm.
| https://its.uiowa.edu/support/article/719
|
| "But there's so much nuance - I want to keep some, and not
| others, etc".
|
| We didn't have this many choices in 1998. My point is giving a
| big honking "get rid of it all" back then would have changed the
| trajectory of the entire discussion. It still might.
|
| I've lived through 2 decades of having to deal with support
| people trying to help users "clear your cache" or "reset your
| cookies". "Private mode" does help to a degree, assuming you're
| dealing with somewhat tech-savvy folks.
| titzer wrote:
| Now you see the conflict of interest when an ad company
| develops its own browser?
| mgkimsal wrote:
| I saw it on day one.
|
| Opera and others didn't bother to make cookie transparency a
| big priority either. :/
|
| More to the point, it was poorly exposed/managed well before
| Chrome.
| ezoe wrote:
| The problem is, most people don't understand what cookie really
| is. If it's understood, you don't need to support so much
| clueless people and no sane politician in EU would made a
| cookie law.
|
| The button you suggests cause more harm than good. Because
| people don't understand the cookie and think "is this button
| delete unnecessary data from my computer? Why not" and click
| it. Now all the legitimate data that were saved on their local
| storage is gone and they complains.
| mgkimsal wrote:
| "Now all the legitimate data that were saved on their local
| storage is gone and they complains."
|
| Not necessarily. Cookie !== localStorage (although...
| localStorage didn't exist at the time, IIRC).
|
| My point was "we" (it/tech folks, but mainly browser makers)
| got ourselves in to this mess in the first place, and rather
| than making things more obvious and easier to deal with _at
| that time_ , we seemed to double down on more obscure UIs.
|
| I swear, pretty much every Netscape release, and later, for
| years, every other Firefox release, changed where/what/how
| cookie mgt was located in their UI.
|
| "most people don't understand what cookie really is"
|
| And that's... whose fault? Putting a big-ass 'COOKIE' button,
| with transparency in to what data is there, with quick
| options to remove it all, would have gone a LONG way to
| normalizing understanding. See some unknown shit in there?
| Delete it. If enough important things start breaking after
| deletion, people would have adapted (either users, or
| developers).
|
| "delete unnecessary data" - there's pretty much nothing
| people put in cookies that is truly 'necessary' for most
| folks.
|
| We didn't give people usable tools to manage this stuff, so
| eventually people turned to legislative means.
| gorgoiler wrote:
| This week I told iOS safari to block all cookies.
|
| It's really not that awful. In fact, it's kind of fantastic. I
| use a second browser (Google Chrome) for "signed-in stuff".
|
| Try it.
|
| (Although the fact that I just posted this from safari reminds me
| I'm not 100% up to speed on which-browser-for-what-activity
| discipline.)
| benhurmarcel wrote:
| I wish it could accept the cookies and delete them when you
| leave. It would break fewer websites.
___________________________________________________________________
(page generated 2021-06-16 23:02 UTC)