[HN Gopher] Starbucks and TrustArc add fake cookie processing de...
___________________________________________________________________
Starbucks and TrustArc add fake cookie processing delay if you
don't click agree
Author : avnigo
Score : 563 points
Date : 2021-09-12 11:09 UTC (11 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| ajsnigrutin wrote:
| Accepting cookies should be a client side action... browsers
| should quietly accept all the cookies, and once the tab/window is
| closed, delete them. There should be a separate button near the
| address bar to keep the cookies between restarts, and users
| should be prompted when logging in (as they are with "save
| password?" - 'yes' - 'no' - 'never').
| fouc wrote:
| client side implies javascript, browser side is probably what
| you meant
| ajsnigrutin wrote:
| For me, browser is a web client, but yeah, browser :)
| perceptronas wrote:
| I noticed Docker hub has exactly the same dark pattern
| aembleton wrote:
| They also use trustarc.
| thih9 wrote:
| What about Hanlon's razor[1]? Are we sure this is a fake delay
| and not just some bad engineering? E.g. a bad case of long
| polling. Sure, even in that case it would still be a dark
| pattern; I just want to make sure we're not assuming too much.
|
| [1]: https://en.m.wikipedia.org/wiki/Hanlon%27s_razor
| t0mas88 wrote:
| You're right, it takes much longer to pick "no" or "customise"
| because the way it is implemented in 99% of the tracking tools
| is that it has to be opt-out and to do the opt-out the site
| loads a pixel that places a special opt-out cookie. Not saying
| this is a good thing, but it is a reality that it takes time to
| load so many opt-out pixels.
|
| So there is a big change that this is a lot of outrage while
| there is no dark pattern here.
| hn_throwaway_99 wrote:
| Except I _guarantee_ if choosing the "allow all cookies"
| option took 50 seconds that the very first thing that product
| would prioritize is getting that down to sub-second.
|
| Granted, it could still be some sort of a polling situation
| vs. just a deliberate fake "make this take a really long
| time", but it still doesn't matter - it's still a dark
| pattern because the site owner is deliberately OK with the
| "opt out" solution being so onerous that hardly anyone would
| wait that long.
| alkonaut wrote:
| Wish regulators could hijack their domain and force visitors to a
| 15 second delay landing page explaining that they were found in
| violation of the GDPR and "you will be redirected to Starbucks
| shortly". Second infringement make it a two minute delay.
| dannyw wrote:
| Just fine Starbucks 1% of their global turnover.
| matheusmoreira wrote:
| One percent? Make it something significant like 50%. Better
| yet, figure out how much money they made with their
| surveillance capitalism, including any investments and
| profits derived from such capital. Fine them exactly that and
| then some for good measure.
| JumpCrisscross wrote:
| > _Just fine Starbucks 1% of their global turnover_
|
| Why? They're literally adding friction to their purchasing
| process. Nothing they sell is critical. Nobody's privacy is
| being violated. They aren't lying. They're just being
| annoying.
|
| This is the most trivial non-issue one could possibly get
| hysterical over.
| capableweb wrote:
| > Nothing they sell is critical
|
| Does that mean the law doesn't apply to them? You do
| business in Europe, you follow European laws + the laws of
| the specific country you're doing business with, doesn't
| matter what the type of business is.
| JumpCrisscross wrote:
| > _Does that mean the law doesn 't apply to them?_
|
| The ePD is notoriously ignored and unenforced [1]. It is
| also not clear what part of the law a simple delay would
| violate. (Most of the sparing enforcement has been around
| dropping cookies after someone opts out.)
|
| [1] https://petsymposium.org/2019/files/papers/issue2/pop
| ets-201... _Figure 5_
| Nextgrid wrote:
| Not sure about the ePrivacy directive but this flow would
| be in breach of the GDPR and I'm pretty sure you have to
| comply with both.
| JumpCrisscross wrote:
| > _this flow would be in breach of the GDPR_
|
| How, precisely? It's a one and a half second delay.
| Functionality is not changed one iota. No cookies are
| loaded.
|
| Would it be better if there were an energy-burning
| inefficient server-side algorithm spinning away?
| mellavora wrote:
| wait, what? are you saying that a change in the way the
| site functions is not a change in functionality?
|
| Seems your argument is that the change is trivial, thus
| safe to ignore; that there is some threshold below which
| changes to functionality don't matter. Do I read you
| right? i.e. "Important functionality is not changed one
| iota"
| Nextgrid wrote:
| See my other comment for reasons why this would be in
| breach: https://news.ycombinator.com/item?id=28501088
| JumpCrisscross wrote:
| > _my other comment for reasons why this would be in
| breach:https://news.ycombinator.com/item?id=28501088_
|
| It's a decent attempt at an argument, but far from
| convincing. One _could_ argue it 's to dissuade opting
| out. One could also argue it's being presented to show
| the opt out has teeth. (Non-technical people ascribe
| meaning to fantasy progress meters. A number of UI
| studies have shown that.)
|
| As for opt out needing to be instant in comparison to opt
| in, the argument holds no water. If a legacy system were
| patched for GDPR, it's reasonable for the opt-out to
| involve _more_ code, not less, as an extra routine undoes
| the defaults. That or making a record of the opt out is
| done tediously. (In this case, the argument is moot since
| the delay is fake.)
|
| The toughest argument one could make from the ICO
| checklist [1] is that a one and a half second spinner
| delay constitutes a material "detriment" or penalization
| of withdrawal of consent. Those are technically true to a
| trivial degree, but immaterial. Far from meriting a 1%
| fine per the original comment.
|
| These kinds of arguments hurt everyone working for
| privacy by trivializing it to a sympathetically mockable
| degree.
|
| [1] https://ico.org.uk/for-organisations/guide-to-data-
| protectio...
| Nextgrid wrote:
| > One could also argue it's being presented to show the
| opt out has teeth. (Non-technical people ascribe meaning
| to fantasy progress meters. A number of UI studies have
| shown that.)
|
| In this case, why isn't the same applied to the opt-in?
|
| > If a legacy system were patched for GDPR, it's
| reasonable for the opt-out to involve more code, not
| less, as an extra routine undoes the defaults.
|
| The GDPR mandates that no non-essential data processing
| should happen unless the user opts-in. Even if there was
| _more_ code involved in making a legacy system GDPR-
| compliant, said code would need to be ran first
| (essentially applying the delay to the initial page
| load). Otherwise, since this consent form is overlaid on
| top of the existing webpage (as opposed to being on its
| own page with none of the trackers being loaded) this
| essentially means that data is being processed until the
| slow opt-out process completed, thus being in breach of
| the GDPR. In short, GDPR-compliant systems should work on
| the basis of "opt-in", not "opt-out". Having the delay
| on the opt- _out_ proves that the system assumes the user
| has opted in (and thus immediately processes data that
| the user may not be willing to share) until told
| otherwise.
|
| Also, regardless of the delay, the simple fact that the
| flow has a big prominent "agree and proceed" button which
| takes one click and then a less prominent "manage
| settings" which takes _multiple_ clicks is enough for
| this to be in breach, at least according to the ICO 's
| guidelines.
| matheusmoreira wrote:
| > It is also not clear what part of the law a simple
| delay would violate.
|
| People must not be punished for choosing to have their
| privacy respected. This is coercion.
| hn_throwaway_99 wrote:
| I don't know if this is the experience for European visitors, but
| as the Twitter thread states, this is in violation of both the
| spirit, and, importantly, the letter of GDPR. I really hope there
| are more than slap-on-the-wrist consequences for this blatant,
| deliberate attempt to side-step the requirements of GDPR.
| hulitu wrote:
| Google does the same.
| matheusmoreira wrote:
| We're not excusing Google. It should totally be fined too.
| It's whole existence is a violation of privacy.
| Ekaros wrote:
| I really don't understand Google, why should I install some
| addon to stop myself from being tracked, shouldn't it be
| other way around? That is allow people install add-on to be
| tracked...
| wly_cdgr wrote:
| Imagine working for a company that does this shabby, slimey
| bullshit. What a fucking loser you have to be to accept that
| paycheck
| diogenesjunior wrote:
| Yes, because everybody who works at starbucks knows wtf is
| going on with their crappy websites.
| Tijdreiziger wrote:
| IME this isn't unique to Starbucks, every single site that uses
| TrustArc does this.
|
| Thankfully, I haven't had to deal with any of these stupid pop-
| ups since installing the 'I don't care about cookies' add-on. [1]
|
| Related question: Does anyone have experience using 'Stardust
| Cookie Cutter'? [2] Is it better than 'I don't care about
| cookies' or does it do the same thing?
|
| [1] https://www.i-dont-care-about-cookies.eu/
|
| [2] https://get.stardust.today/
| tyingq wrote:
| >IME this isn't unique to Starbucks
|
| Of course, still a good strategy to name/shame a well known
| party that may care more about their public image than
| "TrustArc" does.
| ajdude wrote:
| My issue with the I don't care about cookies add-on is that it
| auto accepts all of the marketing and tracking cookies, doesn't
| it? I would love something that auto declines everything.
| rozab wrote:
| Cookies should be controlled by the client anyway. Just
| disable them globally, you'll only ever need them for a
| couple of sites
| Nextgrid wrote:
| Keep in mind that data processing consent forms covers more
| than just cookies - providing consent and then deleting
| cookies still allows them to stalk you based on IP address,
| browser fingerprint, etc.
| smichel17 wrote:
| uMatrix. You can configure it to allow everything else by
| default if cookies is all you care about.
|
| Then, also enable uBlock origin's "annoyances" filter.
| pxeboot wrote:
| If you add their list to uBlock, my understanding is that it
| only hides the notices, never accepts anything.
| Nextgrid wrote:
| Most of the notices are implemented in such a way that the
| tracking is enabled by default and clicking "decline" in
| the notice sets a cookie saying "opt out" to all the
| trackers (whose effectiveness is probably equivalent to the
| "evil bit" in IPv4).
|
| Blocking the notice (or ignoring it) is technically
| equivalent to opting in. Of course, if you're using a
| competent ad blocker it's likely that the trackers
| themselves were also blocked, making this a non-issue.
| Tijdreiziger wrote:
| Ah, I didn't know that, but I run uBlock Origin anyway, which
| should block nearly all of that stuff.
|
| It does appear (from their website) like the aforementioned
| Stardust can auto-decline everything, but I haven't tried it
| myself.
|
| One problem you run into when declining cookies is that on
| many sites you won't be able to view embedded YouTube videos,
| tweets, etc. unless you go back in and allow social media
| cookies.
| bmn__ wrote:
| You should not use "I don't care about cookies", it is broken
| by design and chooses the wrong policy. Instead, use Consent-O-
| Matic. This kills consent banners but preserves privacy to its
| best ability.
|
| https://addons.mozilla.org/firefox/addon/consent-o-matic/
|
| https://github.com/cavi-au/Consent-O-Matic
| Shank wrote:
| You could also block the trackers with uBlock Origin. I use
| "I don't care about cookies" because I don't care about
| cookies. Not because I care about what settings are being
| set. I trust uBlock and other privacy protecting settings to
| actually protect privacy instead of the cookie prompts.
| bmn__ wrote:
| uBO + IDCAC is still worse than uBO + Consent-O-Matic. Not
| the right solution.
| alickz wrote:
| I've been using PrivacyBadger, made by the EFF.
|
| https://privacybadger.org/
| junon wrote:
| Forbes does this, too. It was the first site I noticed it on,
| years ago at this point. I don't know how it's not illegal.
| tbihl wrote:
| Please stop doing this. Not everything you don't like needs
| to be illegal, and taking your business elsewhere has
| literally never been easier in the history of the world.
|
| I don't want to live in a world where the criminalization of
| everything that ever happened that you didn't like means that
| I'm always breaking the law.
| Grakel wrote:
| Normally I would agree with you but if there's anything
| that we can all agree to ban it's annoying, unnecessary
| practices like this.
| Nextgrid wrote:
| The problem with spyware is that it stalks you regardless
| of whether you give "business" to the site or not.
| junon wrote:
| You're right, why even have consumer protection laws
| amirite?
| A_non_e-moose wrote:
| How many people not liking murder or theft did it take to
| make it into a law?
|
| How many people not liking gaslighting personal-data-theft
| dark patterns will it take to make it into a law?
|
| We're transitioning from purely physical beings to having a
| more virtual presence. Virtual crimes are much less visible
| and have much greater impact at scale than their physical
| counterparts, identity theft by Equifax breach or a hack,
| VS physical force or pickpocketing, for example.
| hcykb wrote:
| You are equating a website setting a cookie in your
| device (which you could disable in your browser settings,
| btw) with theft and murder.
| scrollaway wrote:
| "Cookie banners" are a misnomer. GDPR rules apply to all
| persistent personal identifiers, not just cookies. (And
| likewise, they do not apply to cookies which are not
| personal identifiers or are critical for site
| functionality)
| csydas wrote:
| No, they are equation that previously both items were
| socially acceptable until society demanded change and
| made both illegal and provided services to enforce such
| laws.
|
| The impact of violating privacy is neither increased nor
| decreased by the impact of theft and/or murder. If we
| compare theft and murder, theft <<in general>> is less
| impactful than murder, as I'm deprived of property and
| potentially physically injured with theft, with murder I
| am deprived of life itself.
|
| That murder is generally more impactful doesn't make
| theft more acceptable/less bad; we should have laws for
| both.
| nkingsy wrote:
| If hn is not the place to discuss web regulation, I don't
| know what is. New things pose new and unexpected harms and
| nuisances. Regulation is the cure.
|
| On the flip side, this particular dark pattern was caused
| by regulation. As usual, shades of gray
| xondono wrote:
| > Regulation is the cure
|
| Regulation is a _possible_ cure.
|
| Call me crazy, but if some place would be weary of going
| straight up for the "let's ban things with lawyers "
| approach, I would think is HN.
| Nextgrid wrote:
| It is illegal, at least from the point of view of the GDPR
| which is what these pop ups are supposed to comply with.
|
| You could argue that the artificial delay is implemented as a
| way to dissuade people from declining which would fail the
| idea that data processing consent should be freely given (you
| can't force people to opt-in).
|
| You could also argue that even if there was a legitimate
| technical reason for the delay then it wouldn't be compliant
| because it would prove that data processing is enabled by
| default _before_ the user opts-in (otherwise the delay should
| be on opt- _in_ and opt-out should be instant as it 's
| essentially a no-op).
|
| Here are the ICO's guidelines on the subject - you'll see
| that this TrustArc trash fails on multiple points:
| https://ico.org.uk/for-organisations/guide-to-data-
| protectio...
|
| TrustArc essentially provides "breaching the GDPR as a
| service" and their continued existence proves the
| incompetence of the data/privacy regulators in all EU
| countries.
| bjelkeman-again wrote:
| > proves the incompetence of the data/privacy regulators in
| all EU countries
|
| Or maybe it shows that they are underfunded relative to the
| task set them. Which is actually true of many government
| departments.
| Nextgrid wrote:
| Conveniently they're allowed to fine offenders up to 4%
| of global turnover and it's not like there's a shortage
| of offenders.
|
| Surely there is a way to get this "machine" started and
| use the money from previous fines to fund future
| enforcement?
| dane-pgp wrote:
| It may also be a sign of how much national governments
| care about privacy, compared to the EU parliament which
| voted for the e-Privacy Directive.
|
| I suppose the counter-argument would be that passing
| legislation is cheap, but enforcing it costs money, and
| governments have other priorities, but, for example, in
| the UK there can be fines of up to PS500,000 for breaches
| of the e-Privacy Directive[0], which should be more than
| enough to cover the cost of the investigation.
|
| [0] https://www.pinsentmasons.com/out-law/news/gdpr-e-
| privacy-br...
| junon wrote:
| Thanks, I figured this was the case.
| tyingq wrote:
| I tried the cookie settings on TrustArc's own site
| (https://trustarc.com) and they don't appear to have the
| timeouts. Though they do have a weird way to select "Essential
| Cookies Only". You have to say no to "Functional" and
| "Advertising" cookies, separately...2 clicks instead of 1.
|
| Also, their site is currently VERY slow loading.
| mateioprea wrote:
| Since this is a private company, you can always report that to
| your local authority.
|
| Here's a list of emails/sites for contacting your local authority
| and take action.
|
| https://edpb.europa.eu/about-edpb/about-edpb/members_en
| GordonS wrote:
| I see the TrustArc in use at quite a lot of sites - the fake
| delay, and the whole UX in general, is intensely irritating, and
| it just feels like the darkest of dark patterns. Really gives me
| a bad feeling about sites that use it.
| the_third_wave wrote:
| I don't see them anywhere other than as a light red rectangle
| in the uBlock popup - they're not in my whitelist so they end
| up blocked by default. Things tend to work just fine without
| it, the same goes for many other "trust"-related sites. Some
| sites won't work at all without them but, fortunately, the web
| is a large place full of choice.
| wibagusto wrote:
| I find less and less I want to use the internet to browse sites
| anymore.
|
| Not just because of these dark patterns, but usability is
| messed up. The web should be redesigned to force standards
| compliant requiring websites to allow a "no script" support
| where you just go for information.
|
| Cookies are not even remotely the largest problem on the fucked
| UX web we have today. It's less about data delivery and
| ubiquity of the original WWW concept and more about "how do we
| force users to stay on our platform" or "how do we extract data
| on our users and sell it to the highest bidder."
|
| They also need to pass laws forcing companies who sign up users
| for services to have a graceful way to sign down and delete
| their account instead of these stupid cookie banners.
| vasilegoian wrote:
| As a web developer I can only agree with all that you said.
| It's like some companies are actively trying to make visitors
| leave their websites and never come back. Or at least avoid
| them as much as possible.
| guntars wrote:
| Also as a web developer, agreed, but unfortunately it's
| like spam. I'd never buy fake sunglasses or penis
| enlargement pills from some email that appeared in my
| inbox, but the fact that I still get these means it's
| profitable. As long as dark patterns are profitable,
| they'll be around.
| ThatMedicIsASpy wrote:
| old people. I've helped a lot of old people with their
| PCs and they call me about paypal scams when they do not
| have paypal. they want to donate to some one because of a
| nice horoscope email they got.
| [deleted]
| tragomaskhalos wrote:
| Take IMDB - in the early 90's it was a fun little database
| hosted at the University of Cardiff, obviously limited
| content-wise but responsiveness was certainly not an issue.
| Fast forward to today and the modern behemoth it has become
| is essentially unusable (at least on my tablet) for quick
| enquiries, what with all the ads/video whatnot clogging up
| the homepage plus the utterly borked predictive search
| textbox - eurgh.
| wibagusto wrote:
| Ugh yes perfect example--every time I go there nowadays I
| can't find anything. Often I would try to find an
| actor/director's filmography but it takes a good 20 seconds
| to find the tiny links squeezed between the ads!
| rapnie wrote:
| Not to mention that the movie ratings are derived from
| fake reviews, and you have to look at the distribution of
| individual user reviews to gauge if they are genuine and
| decide if the movie is worth watching. If its lots of 1
| and 10 ratings, the movie is probably crap. Many 6-8
| ratings and you're good to go. The nice thing for bad
| movies is that there's always a low-rating review which
| is a great read that gives you a good laugh.
| jjbinx007 wrote:
| You also get adverts before you watch trailers (but
| trailers are ads!) and you can't watch the trailers full
| screen because if you rotate your phone it keeps the video
| small and puts lots of distracting text next to it.
| slapfrog wrote:
| https://www.imdb.com/interfaces/
|
| > _Subsets of IMDb data are available for access to
| customers for personal and non-commercial use. You can hold
| local copies of this data, and it is subject to our terms
| and conditions. Please refer to the Non-Commercial
| Licensing and copyright /license and verify compliance._
|
| > _The dataset files can be accessed and downloaded
| fromhttps://datasets.imdbws.com/. The data is refreshed
| daily._
|
| > _Each dataset is contained in a gzipped, tab-separated-
| values (TSV) formatted file in the UTF-8 character set. The
| first line in each file contains headers that describe what
| is in each column. A '\N' is used to denote that a
| particular field is missing or null for that title /name.
| The available datasets are as follows: [...]_
| aembleton wrote:
| Just block trustarc in uBlockOrigin.
|
| starbucks.co.uk works fine for me without trustarc, newrelic,
| googletagmanager or cloudflareinsights. No point executing all
| of that extra JS as its not for your benefit.
| mmis1000 wrote:
| I believe that the `AdGuard Annoyances` list in ublock origin
| setting does this. It also blocks another offending cookie
| script that popups `everytime` if you opt out non-essential
| cookies.
| gzer0 wrote:
| At this point, I do not feel safe browsing the web unless I
| have ublock origin + all 7 annoyance filters + every single
| ad filter enabled
| npteljes wrote:
| Agreed, without my adblockers, the Internet feels like a
| seedy underpass in a city centre.
| notimetorelax wrote:
| Agree, and if site breaks with those filters I just
| decide not to visit it.
| webmobdev wrote:
| I am not entirely sure that a fake delay here is a dark pattern
| ... Computers cnan be blazing fast, and thus Usability
| principles allow the use of a "fake delay" to convey the
| perception that something is happening or has happened. (See -
| https://stackoverflow.com/q/536300 ).
| djur wrote:
| That link doesn't contain anything that justifies adding
| prolonged delays to applications. It documents that people
| can perceive sub-second delays, but this delay is tens of
| seconds. It's also only occurring for specific choices. That
| rules out any reasonable argument that it's a usability aid.
| webmobdev wrote:
| > That link doesn't contain anything that justifies adding
| prolonged delays to applications.
|
| It does in the context of usability:
|
| > What I remember learning was that any latency of more
| than 1/10th of a second (100ms) for the appearance of
| letters after typing them begins to negatively impact
| productivity (you instinctively slow down, less sure you
| have typed correctly, for example), but that below that
| level of latency productivity is essentially flat ...
|
| > That's for visual feedback that a specific input has been
| received. Then there'd be a standard of responsiveness in a
| requested operation. If you click on a form button, getting
| visual feedback of that click (eg. the button displays a
| "depressed" look) within 100ms is still ideal, but after
| that you expect something else to happen. If nothing
| happens within a second or two, as others have said, you
| really wonder if it took the click or ignored it, thus the
| standard of displaying some sort of "working..." indicator
| when an operation might take more than a second before
| showing a clear effect (eg. waiting for a new window to pop
| up).
|
| > but this delay is tens of seconds.
|
| Oh, I wasn't aware of that - in that case it's ofcourse
| unjustified and definitely a "dark pattern".
| stagger87 wrote:
| The fake delay is 10's of seconds...
| avnigo wrote:
| Here it is in action:
|
| https://twitter.com/pixelscript/status/1436711732152504326
| [deleted]
| [deleted]
| yodon wrote:
| The fake "processing" delay is likely there because averaged
| across all visitors (not just averaged across HN commentors and
| voters) it increases visitor confidence that a change has
| occurred in site tracking activities as a result of clicking that
| button and hence it's there because it net increases both
| customer confidence and flow through to the rest of the site, as
| annoying as it may be to HN readers.
|
| The problem with having three sigma or more excess knowledge
| about a problem domain is that solutions designed for the center
| of the bell curve likely won't work well for the many-sigma
| outlier population, and the fraction of the population out in
| that many-sigma part of the curve is too small for providers to
| justify expending significant resources there. It's not uncommon
| for businesses to optimize for the center of the bell curve and
| leave many sigma outliers poorly served, as is happening here.
| ldjb wrote:
| I get what you're saying, but even if this design feature comes
| out of good intentions (which I honestly doubt), requiring the
| user to wait almost a minute so that it can "process" is rather
| excessive.
|
| If they really needed this delay, surely it only needs to be a
| few seconds tops.
| Aeolun wrote:
| The worst thing about this is that someone was asked to implement
| this, and instead of saying 'fuck no'. They went ahead and did it
| anyway.
|
| There's a few hills worth dying on and I feel this is one of
| them. It is just unambiguously evil.
| aaomidi wrote:
| If you're an h1b worker you literally don't have a choice.
|
| You obey or get yourself and your family kicked out of the
| country.
| antattack wrote:
| Or if your employer is paying for your family's healthcare,
| or your school tuition.
| josephcsible wrote:
| > if your employer is paying for your family's healthcare
|
| Isn't this true of every full-time job? But people quit and
| get new full-time jobs all the time.
| erdo wrote:
| Maybe in the US, but not in Europe. Health care and the
| education of your children is largely not dependent on
| your job. Shades of grey of course, I don't think
| university education is free in the UK anymore (it was
| when I was at university) and private health care does
| exist
| peterkelly wrote:
| You absolutely do have a choice. You just have to decide
| where your line is.
|
| If you are asked to commit a crime by your employer, do you
| go ahead and do it for the sake of keeping your job? What
| about something legal yet highly questionable on moral
| grounds? Going ahead with an annoying UI feature you don't
| agree with is probably justified if the alternative is
| getting deported, but there's a threshold somewhere and it's
| different for everyone.
| aaomidi wrote:
| I've already explained this in the thread.
|
| Not going to argue about how each person defines literally.
| fibers wrote:
| Yes because America, not China has exacerbated the
| conditions in India to make it so you have no choice to
| come to America. There won't be a timeline where the US
| relaxes their immigration laws to make something like this
| possible.
| andrewnicolalde wrote:
| What in your opinion has America done to India?
| enriquto wrote:
| Land of the free, they say!
| Veen wrote:
| So you literally do have a choice. There's just a consequence
| (There are worse things than not living in America, hard as
| that might be for you to imagine.)
| aaomidi wrote:
| You're going to say no to writing a timeout code and risk
| your entire family going back to your country?
|
| What if you have kids who were born here? You're now going
| to take them back to a place they don't know? Or are you
| going to let them go to foster care here?
|
| How about if you've bought a house here? You're going to
| have just a few months to settle everything before you can
| go.
| Aeolun wrote:
| Why would you risk _all_ of those things on the whim of
| an employer.
|
| I swear the US must be the _worst_ possible country in
| the world to emigrate to.
| Veen wrote:
| Why would anyone contemplate leaving their children
| behind in foster care? That seems an absurdly hyperbolic
| suggestion. People move countries for work and take their
| children with them all the time. I mean, if the country
| was Syria and you literally risk death, then I could
| understand, but people in that situation are refugees,
| not on work visas.
|
| Perhaps I'm finding this hard to understand since I have
| no desire to live in the US whatsoever and have turned
| down several offers from companies that wanted me to move
| there. Nice place to visit, but I can think of dozens of
| places I would rather live.
| aaomidi wrote:
| The kid is a US citizen and doesn't know any language
| other than English. Depending on the home country that
| might be a huge huge obstacle for the kid.
|
| I was once that kid who had to go back to Iran without
| knowing Persian. It was fucking terrible.
| Veen wrote:
| Yes, moving to a country is hard when you don't speak the
| language. Can I ask, why did your Iranian parents not
| ensure you learned Persian if moving back was a
| possibility?
| aaomidi wrote:
| Because it was something I resisted and made me miserable
| trying to learn in another country.
|
| They did the right thing because I was able to still have
| a childhood that wasn't bogged down with learning
| Persian.
| otterley wrote:
| What country are you based in? Have you ever lived in a
| country with extreme poverty or an oppressive government?
| redler wrote:
| The corporate leaders that make the decisions are the ones
| that should resign on principle. Not the theoretical H1B
| employee who would uproot their family, derail their
| career, distress-sell their house, leave the country, etc.,
| over the setTimeout line.
| siculars wrote:
| (Right, like returning to a country you were trying to
| escape.)
| josephcsible wrote:
| If you're here from a country that you had to escape,
| then you're a refugee, and unlike H-1B immigrants,
| refugees don't have to leave just because they lost their
| job.
| iaml wrote:
| There's a ton of people who had to (or really wanted to,
| makes no difference in this case) escape a country that
| did it using their skills as a programmer.
| Veen wrote:
| But the vast majority moved because they could make more
| money in the US. They behave unethically because they
| don't want to give up that income. It's a purely
| mercenary calculation. And it does make a difference
| whether it's a want rather than a need. I want lots of
| things, but if I behave in a shitty way to get them I
| should be condemned.
|
| I'm sure there are some people in the unfortunate
| position you describe, and in their case it's
| understandable. But it's not the general case.
| iaml wrote:
| People who moved for the money likely went to FAANG
| instead.
|
| Actually, I got interested in this and checked trustarc's
| careers page and it seems most technical positions are in
| Philippines/Canada with a mention of "global team" so I'm
| convinced now all this thread is arguing about strawmen
| and in reality the product is being written by some
| remote contractors from third world country who will be
| easily replaced by a million others if they refuse.
| yunohn wrote:
| Why do you assume it's an H1B worker? I don't see where you
| get this baseless accusation from.
| flixic wrote:
| What if 3 US citizens said "fuck no", and it was someone on
| much shakier ground who felt the pressure to say yes? Not a
| given at all, just makes it more likely.
| yunohn wrote:
| It really seems horribly racist to just assume that it
| must be the "lesser moral" H1B employee who made this
| dark pattern happen. You have zero evidence, no
| indication that's the case, and are speculating wildly.
| tortasaur wrote:
| It isn't even slightly racist. It isn't a comparison of
| morals between the H1B worker and U.S. citizen; the
| employer simply has more leverage over the H1B worker.
| yunohn wrote:
| But where is this assumption of a H1B worker causing this
| coming from? Literally zero indication of this, just a
| racist strawman.
|
| What a depressing thread this has been.
| IIsi50MHz wrote:
| I'm not seeing any claim that an H1B employee is less
| moral, only that a person (regardless of visa status) can
| be coerced into doing something they would rather not do.
|
| Also, there is no inherent racial component to an H1B or
| other status.
|
| The example of an H1B person seems to have been provided
| only as a sample to further illustrate the point that
| "Just quit on principle, rather than implement this
| thing!" is often not an acceptable action due to other
| effects.
| yunohn wrote:
| This whole thread has nods to moral high ground US
| citizens, versus the immoral scared H1B workers, who are
| /obviously/ the only ones who would implement such a dark
| pattern. Mind you we're discussing an American company,
| working with American clients.
|
| You seem to be one of those "assume good faith" people,
| who knows exactly what the others actually mean.
| Talanes wrote:
| >Mind you we're discussing an American company, working
| with American clients.
|
| And everyone in this thread is discussing how that
| company could be using American laws to pressure workers.
| This thread is an indictment of an American system, no
| one is blaming the H1B workers.
| aaomidi wrote:
| Is being an H1B worker now an accusation? This was me
| pointing out that our VISA system forces a huge chunk of
| our workforce to not have a strong ability to stand up to
| their employer.
| OJFord wrote:
| How many companies seriously start revoking visa sponsorship
| the moment an employee pushes back on a Jira ticket?
|
| Really the issue is being fired over it isn't it? The visa
| just makes being fired worse for employees requiring one.
|
| I would hate to work at a company where a bit of debate on
| 'is this really a good idea' were a firable offence; sounds
| like the 'believe it or not - jail' scene from Parks &
| Recreation! That's satirising a visiting delegation from a
| developing country under military rule.
| MisterSandman wrote:
| As someone on a Visa - even a 0.0001% chance of being fired
| for saying something like this would shut me up.
| thrwyoilarticle wrote:
| >I would hate to work at a company where a bit of debate on
| 'is this really a good idea' were a firable offence
|
| Right, and you don't have to because your continued
| existence in a country isn't dependent on it. Companies
| with attitudes like that don't reveal it until it's too
| late.
| OJFord wrote:
| I just think the existence/prevalence of such places is
| being wildly overstated... Especially without any sort of
| 'hey, stop pushing back on every issue, shut up and do
| your job or you won't have one' type warning.
|
| But then I've never lived or worked in the land of the
| free, so what do I know.
| not1ofU wrote:
| Because US employment laws are terrible. For everyone, not
| just h1b workers.
| octokatt wrote:
| I hear you.
|
| Same for if you're disabled, your partner has a medical
| condition... moving between jobs can be cost less for some,
| but changing jobs is not cost less universally.
|
| Which means in a given developer pool, there's usually at
| least one person who "won't put up a fuss about implementing
| industry standard code".
| nikkinana wrote:
| Yeah the best shit code in the industry is written by h1b's
| hcykb wrote:
| Ethics? FFS it's just the stupid Starbucks website... If you
| don't like the delay then just don't visit it
| dexterdog wrote:
| Except it's not just Starbucks. It's all sites that use
| TrustArc. TrustArc is a scummy middleman that is extracting
| money in the name of privacy without providing any serious
| protection (except to the companies who pay their protection
| money). I worked with them when I whored my services to a
| list broker as a contractor for a brief time. They are a
| virtual money printer because their certifications are so
| incredibly expensive for what they actually provide.
| imwillofficial wrote:
| Yeah, ethics touches everything. Might surprise you, but it's
| true.
| hcykb wrote:
| In the same spirit, some people say that everything is
| politics. Sorry but no, I refuse.
| eloff wrote:
| Yeah, I would refuse to implement this and immediately start
| searching for a new job, whatever the fallout.
|
| This is not why I got into software.
| jaclaz wrote:
| Yep, but that is a dangerous path/metric, besides this specific
| "artificial" delay, think of the millions, billions, trillions
| seconds humanity has lost - particularly the poorest - waiting
| for stupidly bloated sites to load on a slowish connection (or
| even worse a metered one) when the same content and message
| could have been delivered with 1/10th or 1/100th of bandwidth
| usage ...
|
| If you adopt this kind of metric/moral stance _any_ web
| programmer workng in the last 20 years is guilty ...
| soheil wrote:
| There are things you can refuse to work on and there are
| things that you have to put in effort to make better.
| Improving a bloated site to load faster is not as trivial as
| refusing to put a dumb timeout to slow things down. I still
| think the OP is totally overreacting and even calling
| something as stupid as this a "dark pattern" belittles truly
| horrific things that are happening in the world including the
| cyber world.
| thih9 wrote:
| > instead of saying 'fuck no'
|
| This is only possible for people whose job stability or
| financial situation is above average.
| ralphc wrote:
| I'm out of the job market myself (retired) but isn't every
| developer's job stability above average? Isn't everyone
| looking for developers now? If you're one to take a stand
| then now is the perfect time. Unless you're in a H1B
| situation as mentioned by the comment below.
| VRay wrote:
| Yeah, man, most people have very flexible morals
|
| Just look at all the engineers at Facebook, or even worse:
| the defense industry
| acheron wrote:
| Tons of HN readers work at Google, which is much worse than
| whatever this dumb thing on the Starbucks website is. Ethics is
| in short supply.
| amelius wrote:
| Those Googlers just follow orders, so you can't blame them.
| /s
| siculars wrote:
| Die, eh? Na, this isn't the one.
| esarbe wrote:
| That's what you get for tearing down any worker protection or
| ability to organize.
| grishka wrote:
| If you tell them you aren't doing it, they'll fire you and find
| someone who will. It'll end up existing either way.
| criddell wrote:
| It's one reason that software engineering should become a
| real Engineering profession and not just a title. If your
| employer asks you do something unethical, it would give you
| grounds for pushing back. Who would risk losing their license
| to practice because of a deceptive cookie notice?
| Engineering-MD wrote:
| This argument can justify anything on that basis, from fraud
| to murder or slavery. By withdrawing your services to do it,
| you reduce supply, increasing prices and providing a
| financial penalty for trying to enact it.
| inetknght wrote:
| > _This argument can justify anything on that basis, from
| fraud to murder or slavery._
|
| Interestingly there are laws and whistleblower protections
| against murder and slavery.
| hdjjhhvvhga wrote:
| Am I the only one seeing the irony of it? You are asking
| the guy who already added a ton of JavaScript junk to the
| website to have concerns about one delay function?
| grishka wrote:
| There's plenty of people who would do whatever they're
| told, regardless of their own principles, as long as
| they're paid for it. I'm not one of them, sure, but as long
| as there's just ONE person like this, we can't have nice
| things in the long run.
| moron4hire wrote:
| Another poster mentioned H1B visa holders, and I'm sure that
| is a valid concern there, given how poorly H1B holders are
| treated. But as a citizen, I've heard this many times, been
| told it to my face during sit downs with my boss while
| refusing to do something shady, and it has never happened. On
| two occasions, the threat was idle. On two more, I quit and
| they never did find anyone to replace me.
|
| But regardless, even if it were true, you still need to
| protect your own soul. Better to let someone else corrupt
| themselves.
| Aeolun wrote:
| Exactly! But what if everyone had a concience and said no?
| Would they fire all their developers?
|
| Anyway, they wouldn't fire you since just finding someone
| else to do it is easier than starting any HR process.
|
| That's pretty sad by itself.
| watertom wrote:
| I don't understand why you are shocked.
|
| Ethics should follow the same standard normal distribution
| model as everything else. Which means that 50% of the
| population has less than average ethics.
| amelius wrote:
| We need an 11th commandment: Thou shalt not apply dark
| patterns!
| staticman2 wrote:
| Not everything follows a standard distribution model. In
| fact, since some psychological tests are designed to return a
| standard distribution result, if the traits do not occur in
| the population along a standard distribution, the
| psychological tests are designed in a way which will give
| inaccurate results.
| fumeux_fume wrote:
| Despite being called normal, not as much as you would think
| follows a normal distributon. But if your main point is that
| there is some mean value of ethicalness and 50% fall above
| and below that value then I suppose there's not much to argue
| about there.
| topaz0 wrote:
| *median. It is commonplace for more or less than 50% to
| fall below the mean.
| torstenvl wrote:
| It's also common for more or less than 50% to fall below
| the median. The average M&M fun size package has 15 M&Ms
| (mode, median=15; mean=15.02). Only 25.6% have fewer than
| that. As fumeux_fume stated earlier, not everything
| follows a normal distribution.
|
| Since morality is socially mediated, I think it's
| reasonable to hypothesize it would tend to be N-modal.
| soheil wrote:
| So a dumb one-minute timeout is the thing that pushed you over
| the edge? How would you feel if you had to work on drones that
| kill people or as a nuclear scientist on the Manhattan project?
| [deleted]
| realusername wrote:
| That's also why I like the web, instantly anybody can pull the
| inspector and see right through their crap and dark patterns,
| good luck doing that on mobile.
| mNovak wrote:
| For me, any cookie setting is instant at Starbucks. Actually I've
| never experienced this delay with 'essential' cookies anywhere,
| despite hearing about it a lot. Possibly because I'm using Brave,
| and so those cookies are blocked by default anyway?
| kolmel wrote:
| I feel like someone should be fined over this...
| warent wrote:
| They're trying to be clever and punish people who enjoy their
| rights of GDPR. The EU will not find these patterns cute or
| acceptable, and fortunately their fines are large enough to
| cause the offending business real pain. It's only a matter of
| time!
| npteljes wrote:
| I just want to add that with Firefox's Containers and the
| Temporary Container addon I usually just accept whatever, because
| the cookies are not shared between my tabs, and the temp
| container is deleted after 15 minutes of closing the tab. So
| while I technically accept, it's not much of a privacy violation
| anyways.
|
| https://addons.mozilla.org/en-US/firefox/addon/temporary-con...
| bttger wrote:
| The Docker homepage (https://www.docker.com/) is even worse. It
| takes minutes in my case when I press on "Essential Cookies
| only". And this is reproducible. It's like this for more than a
| year now.
| sigotirandolas wrote:
| For me (stable connection, EU), after selecting "Essential
| Cookies only", the "processing" takes:
|
| * About 8 seconds on Docker Hub
|
| * About 32 seconds on Starbucks
| aembleton wrote:
| What browser are you running? It took me ~20 seconds on
| Firefox.
| lostgame wrote:
| Still ridiculous when it is ~2-3sec with 'Accept'.
| cessor wrote:
| Yes, 40sec on firefox for "essential cookies only"; accept all
| is instantaneous.
| Ekaros wrote:
| Even more fun, when I actually dig down to advanced settings I
| can't turn of some cookies like: "Bizible - Do Not Use
| bizible.com No Opt Out Mechanism Bizible enables you to drill
| deep on settled and projected ROI of online advertising, so you
| can make data-driven budget decisions based on revenue."
|
| Umm what is going on with that one?
|
| Or why doesn't Facebook support opting out here?
| the_third_wave wrote:
| I seem to recall a relation between loading time and visitor
| retention? A quick search gives dozens of statements along the
| lines of..
|
| A 1 second delay in page response can result in a 7% reduction in
| conversions. [1]
|
| 47% of consumers expect a web page to load in 2 seconds or less.
| [2]
|
| 40% of people abandon a website that takes more than 3 seconds to
| load. [3]
|
| ...etc
|
| Either those cookies make up for the lost business, these
| statements only hold for the initial page load or these
| statements are factually incorrect. I suspect the statements only
| hold for the initial page load, that spinner and the slowly but
| surely updating fake counter holds visitors enthralled for the
| final outcome.
|
| Anyway, the path is clear: close that Starbucks tab after ~2
| seconds of faked cookie setting time and get your caffeine kick
| elsewhere.
|
| [1,2,3] just search for it - most results are commercial entities
| trying to sell some "marketing" or "website enhancement" service
| which I do not feel like boosting by linking to them. Much of the
| original research seems to come from Google and can be found in a
| report titled "The Need for Mobile Speed".
| xondono wrote:
| Those numbers are for people stumbling onto your web. If people
| are forced through your WiFi because they're in a foreign
| country and get no data roaming, those statistics mean nothing.
|
| Being privacy minded and traveling during covid has been a
| nightmare.
| soared wrote:
| There is a lot of value in being able to identify users, and
| starbucks 100% is constantly analyzing the gain they get from
| identifying users against the losses the incur from an
| increased bounce rate. (I work in adtech and am part of similar
| tests for similar brands)
|
| Almost certainly these tests do not take into account longterm
| affects on user's opinions on the brand, etc.
| didgeoridoo wrote:
| There's a big ol' "Cancel" button that stays live during the
| "processing time". They're trying to get you to click it in
| frustration, which will reset your cookies to maximum intrusion
| levels before you go about your business on the site.
| JumpCrisscross wrote:
| > _Either those cookies make up for the lost business, these
| statements only hold for the initial page load or these
| statements are factually incorrect_
|
| It's likely TrustArc trying to make their widget look muscular
| to an idiot executive at Starbucks.
| Nextgrid wrote:
| The delay is not specific to Starbucks' implementation. Every
| TrustArc popup has such a delay.
|
| Considering everything else about it also screams bad faith,
| I think it's a deliberate tactic to train people to click
| "accept" on these so they can then boast about how their
| "consent" management platform provides better conversion,
| which in turn somewhat justifies the salaries of the oxygen
| wasters in the marketing/advertising departments.
| mmmBacon wrote:
| I am very tired of having to deal with cookies on just about
| every site I go to. Almost nobody wants tracking cookies. I've
| noticed many sites it's hard to tell whether the tracking cookies
| are enabled or disabled.
| Aulig wrote:
| I don't remember the site, but one single time so far a website
| told me "we picked minimal cookie settings for you, since you
| sent a Do Not Track order". Very nice.
| ksaj wrote:
| I have seen this in distant times as well. The one I remember
| most provided a link to view your opt-in choices. Clicking on
| it showed what the "minimal" cookies were, that actually did
| affect how the page worked, or fed other "features" that were
| non-tracking, and what ones were not included so that you
| could opt in to some things if you were interested in them
| (which I'm sure was always never).
|
| I thought it was clever and unusually honest.
| matheusmoreira wrote:
| They figure out some way to spin it as "essential" or
| "required". They say it lets them "improve their services".
|
| As if some tracking bullshit could ever be essential to
| anything.
| dehrmann wrote:
| The legislation should have been that sites honor DNT (or
| something similar) better, and you're promoted by your browser.
| Doing it site-by-site is a headache for both users and
| companies.
|
| > Almost nobody wants tracking cookies.
|
| It's complicated because a lot of people do want to stay logged
| into certain websites. Even if that's not "tracking," what
| about recommendations? Youtube does recommendations for logged-
| out users, and I suspect a lot of people find some value in
| that.
| fnord77 wrote:
| I've seen punitive patterns like this elsewhere.
|
| some newspaper sites start autoplaying a little video window, and
| it you click the "close" X, the player will keep playing for
| several more seconds with a phony subtitle saying "shutting down"
| or "closing"
|
| btw why do some many sites do whatever they can to force a video
| to play when you click on them?
| [deleted]
| umarovt wrote:
| Honestly, I actually don't understand how that can be beneficial.
|
| First we all know that increased loading time also increases the
| bounce rate - so we are all working really hard to minimize it.
|
| If you add a fake loading time you actually say that you don't
| want particular users. Why then they don't just block the site if
| cookie policy is not accepted? Does anyone actually accepts
| cookies and expects website to work faster? That sounds very
| counter intuitive to me.
|
| Actually wondering what you can achieve with introducing a fake
| loading time and how can company benefit from that.
| sigotirandolas wrote:
| If turning off cookies is a time-wasting chore, you are more
| likely to accept them next time, which will allow them to
| benefit from tracking you. It's a net win as long as the
| benefit they extract from the people that get tired and accept
| tracking is bigger than the loss from the people that bounce.
|
| The "beauty" of it is that so many websites in the internet are
| doing it, that even if it's your first time going to a website,
| when you see the cookie popup you already know the drill and
| are primed to just accept everything.
| Sebb767 wrote:
| 1.5 seconds seem to low for me to be for user annoyance,
| especially since this comes after the point where the user would
| change his mind. I'd bet someone had to implement this and needed
| this to look like it's doing something.
| ceejayoz wrote:
| It's not 1.5 seconds, though.
| https://twitter.com/pixelscript/status/1436711732152504326
| shows it taking nearly a minute.
| w8g58y wrote:
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://links.uky.edu/sites/default/files/webform/marketing-...
| https://twitter.com/Ert2541/status/1437095828888317952
| xyzzy21 wrote:
| From the wiki page on TrustArc:
|
| "In January 2006, Harvard economics researcher Benjamin Edelman
| published a study showing that sites with TRUSTe certification
| were 50 percent more likely to violate privacy policies than
| uncertified sites:
|
| https://www.benedelman.org/news-092506/
|
| And perhaps ironically (if honestly true - maybe it never was the
| intention), TrustArc was nominally/purportedly started to promote
| privacy at TrustE. A lie perhaps.
|
| "TrustArc, was founded as a non-profit industry association
| called TRUSTe in 1997 by Lori Fena, then executive director of
| the Electronic Frontier Foundation, and Charles Jennings, a
| software entrepreneur, with the mission of fostering online
| commerce by helping businesses and other online organizations
| self-regulate privacy concerns."
|
| https://en.wikipedia.org/wiki/TrustArc
| slim wrote:
| Let's encrypt was also started by EFF. It's been doing some
| shady business with it's authority and the trust it accumulated
| since internet heyday. I wonder when it will betray the
| community.
| nickf wrote:
| 'Shady business' - what and how exactly, out of interest?
| boomboomsubban wrote:
| Though the practice is always deplorable, I don't get why
| Starbucks would want this kind of thing. Sure they might be able
| to sell your data for a little extra cash, but why would they
| make it harder to buy coffee on their site?
___________________________________________________________________
(page generated 2021-09-12 23:01 UTC)