[HN Gopher] Data protection 'shake-up' takes aim at cookie pop-ups
___________________________________________________________________
Data protection 'shake-up' takes aim at cookie pop-ups
Author : louthy
Score : 57 points
Date : 2021-08-26 09:28 UTC (13 hours ago)
(HTM) web link (www.bbc.co.uk)
(TXT) w3m dump (www.bbc.co.uk)
| Silhouette wrote:
| As a potentially interesting data point for those not keeping up
| with privacy and data processing in the UK, next week (1
| September) also marks the time the NHS will opt everyone into
| sharing their personal health records for "research and planning"
| purposes by default (this is about the GPDPR, which is obviously
| not named confusingly similarly to the GDPR).
|
| Details about what this really means, who will get access to the
| data, and what regulatory or legal consequences they will face if
| it's abused are disturbingly vague. In theory, there has already
| been a two-month delay in doing this due to concerns the first
| time around about a lack of public awareness. I have seen exactly
| zero further public information campaigning on the subject during
| the additional time.
|
| Right now, as someone who believes strongly in the importance of
| personal privacy and restricting the sharing of sensitive
| personal data, I am more concerned about that imminent
| development than this one.
|
| For anyone in the UK who is concerned about that, there is still
| just about time to opt out via NHS Digital's online system. Make
| sure you also notify your GPs, as it seems there will now be two
| systems involved and they require separate opt-outs.
|
| (I'm using "UK" here, but if this affects you, please be aware
| that the rules may differ depending on whether you're in England,
| Scotland, etc.)
| pacifika wrote:
| Not Scotland, perhaps only England.
| jjgreen wrote:
| That's actually been pushed down the road:
| https://digital.nhs.uk/data-and-information/data-collections...
| Silhouette wrote:
| Thank you. I'd somehow missed that development.
|
| It's difficult to see how the other part (run centrally by
| NHS Digital based on the GP data) could go ahead without this
| part in place, so maybe they really did listen to reason and
| back down until they've got proper measures in place.
|
| That would actually be quite reassuring in connection with
| today's announcement that we're discussing here. If those in
| government really have understood that there are some lines
| that shouldn't be crossed when it comes to privacy and
| personal data and they really are genuinely interested in
| getting rid of the excessive red tape that some of the EU
| rules do impose on anyone working with personal data, this
| might be a positive story after all.
| bogomipz wrote:
| Alternate link to avoid the absurdity of the BBC's own account
| sign in pop up in order to read their story about pop ups:
|
| https://archive.is/bQATq
| reilly3000 wrote:
| Implementing GDPR and CCPA is a huge pain for publishers now;
| here we have a new standard to understand and comply with. Nobody
| stopped setting cookies, they just added CMP vendors which set
| their own cookies. I can't think of a single thing a regulator
| has done to make the web more private. Browsers and extensions
| are the beginning and end of what stops tracking and abuse.
| tsjq wrote:
| What is the plans with Floc ?
| TechBro8615 wrote:
| I don't know why so many companies implement the cookie banner in
| such an intentionally obtrusive way. Has there ever been any
| instance _ever_ of a company being fined because their cookie
| banner was confined to a small widget with an X in the bottom of
| the page?
|
| It's not like framing your "consent screen" in a giant modal is
| going to make up for the 100 checkboxes behind the "advanced"
| link that each require a separate HTTP request to disable. Or
| that after disabling them, you're lucky if they stay disabled for
| longer than the page session. And it doesn't shake the feeling
| that "disabling" a tracker generates more signal than the tracker
| itself.
|
| Anyone who implements this at their company is an idiot and an
| enabler. The profiteering companies encouraging the practice are
| little better then Outbrain, Disqus or Google AMP - an absolute
| cancer on the web. Oh, and I bet they've got lobbyists too. If
| you work as a developer at a company building consent modals, you
| are truly a useful idiot.
| pacifika wrote:
| Typical UK government, dangling some inconsequential benefit (tip
| of the iceberg) while eroding basic human rights.
|
| The problem is that I'm sure the general public will be in favour
| of removing those banners.
|
| This is like dissolving public education to remove those pesky
| exams from children's lives.
|
| If aligns with Tory business interests so taking everything into
| account I'm sure it will go ahead but the level of dishonesty is
| surprising.
|
| I'll be paying attention to anyone calling this out.
| actually_a_dog wrote:
| What "human rights" are being violated by getting rid of those
| dumb cookie popups?
| PaulHoule wrote:
| I think the cookie popups "normalized deviance". Since that
| is something required, maybe even thought of as virtuous, why
| not pop up two different boxes asking for the user's email
| address before they've had a chance to read the content?
| actually_a_dog wrote:
| That's a real stretch, to put it charitably.
| pacifika wrote:
| Eroding privacy protection laws that underpin it.
|
| https://www.humanrightsmedia.org/privacy-rights/
| erhk wrote:
| Did you miss the part about sending user data internationally
| actually_a_dog wrote:
| I think you may have missed this part?
|
| > Data adequacy in this sense means an agreement that the
| protections in place are similar in two countries, with the
| idea of ensuring that personal information remains safe. It
| is a key part of EU regulations and was a minor sticking
| point in the Brexit negotiations.
| Silhouette wrote:
| As opposed to the EU stance, where sharing personal data
| with US organisations has repeatedly been found in court to
| violate the data protection rules? That mostly seems to be
| because US law grants its government security agencies much
| the same intrusive powers to examine data as most EU
| governments grant theirs and EU law explicitly allows for
| in the latter case. There are reasonable discussions to be
| had about the necessity for such measures and the
| safeguards and transparency requirements that are
| appropriate if they are used, but objecting to
| international data transfers on this basis, as EU courts
| have repeatedly done, seems a bit hypocritical.
| dspillett wrote:
| That part isn't necessarily related to the human rights
| (though there is the matter of data being carried off to
| where-ever is liked, which counts IMO), but a suggestion that
| they are trying to use a little bit of good news (less pop-
| ups) to distract from bad news, of which there is a lot ATM:
|
| - Bad decisions wrt handling the Afghanistan situation
|
| - The potential weakening of workplace safety laws (starting
| with the relaxation of rules for lorry drivers, so they can
| be worked harder to fill the current gap instead of
| pay/conditions improving to attract more workers) and other
| employee protections post brexit
|
| - ...
|
| It is not unlike the tampon tax thing. They made a big deal
| about those no longer being subject to VAT on "brexit day"
| when in fact that had been agreed by the EU more than two
| years earlier and could have been implemented there and then
| (so women kept paying the extra for that time just so the
| government could claim a cheap win at the end of that part of
| the process).
| AstralStorm wrote:
| Technically GDPR could be amended to require compliance
| notifications to be non-obtrusive and still default to strong
| privacy protection like disabling non-essential functionality
| or data collection and processing.
|
| Of course the ad companies rely on the bad and obtrusive pop-up
| design to annoy users into clicking accept.
| petre wrote:
| One could set the preferences in their browser once for ever
| site and maybe add exceptions like in the camera permissions
| dialog. Make it a simple three choice option, like only
| necessary (login, shopping basket) cookies, analytics and
| all, defaulting to necessary only.
| erhk wrote:
| ELI5 what an "essential" cookie is. Afaik none of them are
| essential if I refuse to make an account on your platform
| mnw21cam wrote:
| Or add an item to a shopping basket. But yes, that's about
| it.
| dspillett wrote:
| Technically GDPR (and other similar regulations) _do already_
| require compliance notifications to be non-obtrusive, or at
| least rejecting consent to be no more difficult than
| accepting it.
|
| Unfortunately that isn't adequately enforced so everyone gets
| away with making it a massive pain to reliably opt-out and
| very easy to accidentally permanently opt-in.
| fangorn wrote:
| So basically "Think of the children!". Their fingers must no
| longer be exposed to exhaustive clicking of EU-mandated pop-
| ups...
|
| If eroding, still woefully inadequate, data protection, instead
| of simply mandating improvements to deliberately broken UIs, is
| the first thing future "Information Commissioner" intends to do,
| God Save The Queen's Browsing History!
| yalogin wrote:
| They brought on a new guy and the main thing he highlights is pop
| ups? Also, reading through the article it feels like the
| "Advancement" will be to not show the pop up but provide a button
| somewhere to have the user change the defaults which will be
| allow all cookies. I will be really surprised if it doesn't turn
| out that way.
| contravariant wrote:
| I'm actually OK with webpages just sending whatever cookies
| they like. Though it took me quite a bit of effort to ensure my
| webbrowser does something sensible with them, which really
| ought to be a lot easier (and we may be getting there, but
| permanently storing cookies really ought to be the exception).
|
| I'm slightly worried about all the other stuff they mentioned.
| Sure less red tape is nice, but it's a fine line between less
| box-ticking and simply no protection at all.
| 1vuio0pswjnm7 wrote:
| Edwards is a former lawyer. His predecessor is a library science
| person. Perhaps that is insignificant. Time will tell.
| lozenge wrote:
| "Other details remain light, with the government promising to
| launch a consultation on what future data laws will look like."
|
| They're going to torch all our data regulations, and the only
| thing people will care about is the cookie pop-ups going away.
| erhk wrote:
| Cookie popups wont even go away really.
|
| The U.S. has them, not because of data protection in the U.S.
| but because of EU enforcement. All thos will do is change the
| legal basis and likely keep the cookies
| mnw21cam wrote:
| This is the most important point. The EU is big enough that a
| large proportion of the world has put the cookie popups in.
| Whether they have done it right is a matter for a separate
| argument. The UK changing its laws isn't going to change any
| of this. The only thing it can do it give the bad
| consequences - the UK isn't big enough for this change to
| actually cause any good consequences.
|
| The solution to the problem of loads of web sites making
| illegal cookie nag-screens isn't to relax the laws so that
| they can legally steal our data - it is instead to actually
| prosecute for the nag-screens.
| GhostVII wrote:
| I don't understand why cookie popups are a website feature rather
| than a browser feature. Wouldn't it make far more sense to just
| have the browser default to disabling cookies, and show a popup
| if the web page wants to use them? Then it would be simple to say
| "accept all cookies", or "always deny cookies" rather than having
| a new popup on each site.
| Hjfrf wrote:
| This is a browser feature already. Every site chooses to ignore
| it due to lack of legal backing.
| GhostVII wrote:
| If the browser was to just disable the cookies API until the
| user allowed the site to store data in cookies, it wouldn't
| be something that the site would be able to ignore.
| travisd wrote:
| Worth noting that Google would probably do its very best to
| keep anything like this from coming to fruition with its tight
| grip on Chrome and web standards. And it's not in the interest
| of individual companies to go through with this sense the odds
| that you just click "deny all cookies now and evermore" are
| pretty high.
|
| Just a case of perverse incentives and conflicts of interest.
| GhostVII wrote:
| It's also not in the interest of websites to show the cookie
| popups either, but they do it because they are legally
| required to do so.
|
| I mean I think regulating it in either place is a bit silly,
| but if we are going to force users to accept cookies on each
| site, putting it in the browser is far easier to enforce
| (since you don't have to go after each site that doesn't do
| it), and a much better user experience.
| saidajigumi wrote:
| Because the relevant legislation was crafted by those who
| fundamentally do not understand how the web (or computers)
| work. The relevant parts of the GDPR should always have
| described a _protocol_ where the browser acts as an agent on
| behalf of the user to declare privacy intent.
| madhato wrote:
| The browser could also have a setting for eu (gdpr) mode that
| would enable the cookie notifications. As there is no way for a
| website to automatically determine if a user is a eu citizen.
| jjgreen wrote:
| _It means reforming our own data laws so that they 're based on
| common sense, not box-ticking_
|
| We are so fscked
| blackbear_ wrote:
| If this is a joke involving fsck - I did not get it.
| jaywalk wrote:
| You can't say "fuck" on the Internet, so he just censored
| himself in a technically-humorous way.
| imglorp wrote:
| UNEXPECTED INCONSISTENCY; RUN fsck MANUALLY.
___________________________________________________________________
(page generated 2021-08-26 23:02 UTC)