[HN Gopher] Automating cookie consent and GDPR violation detection
___________________________________________________________________
Automating cookie consent and GDPR violation detection
Author : tomgp
Score : 89 points
Date : 2022-03-21 15:08 UTC (7 hours ago)
(HTM) web link (www.usenix.org)
(TXT) w3m dump (www.usenix.org)
| elygre wrote:
| Whenever people go "it's been four years, this law is too
| complicated", I am reminded that every now and again the US
| Supreme Court has to deal with issues that relate to the
| constitution.
| M2Ys4U wrote:
| The GDPR does _not_ require websites to inform users that a
| website sets cookies. There is nothing in the GDPR about cookies.
|
| It's the ePrivacy Directive[0] that deals with cookies (or,
| rather, "[storing] information or to gain[ing] access to
| information stored in the terminal equipment of a subscriber or
| user"). This is a law that pre-dates the GDPR.
|
| If you can't get that right, frankly I question whether anything
| you write on the subject is correct.
|
| [0] Directive 2002/58/processing of personal data and the
| protection of privacy in the electronic communications sector -
| https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A...
| atoav wrote:
| (25) However, such devices, for instance so-called "cookies",
| can be a legitimate and useful tool, for example, in analysing
| the effectiveness of website design and advertising, and in
| verifying the identity of users engaged in on-line
| transactions. Where such devices, for instance cookies, are
| intended for a legitimate purpose, such as to facilitate the
| provision of information society services, their use should be
| allowed on condition that users are provided with clear and
| precise information in accordance with Directive 95/46/EC about
| the purposes of cookies or similar devices so as to ensure that
| users are made aware of information being placed on the
| terminal equipment they are using. Users should have the
| opportunity to refuse to have a cookie or similar device stored
| on their terminal equipment. This is particularly important
| where users other than the original user have access to the
| terminal equipment and thereby to any data containing privacy-
| sensitive information stored on such equipment. Information and
| the right to refuse may be offered once for the use of various
| devices to be installed on the user's terminal equipment during
| the same connection and also covering any further use that may
| be made of those devices during subsequent connections. The
| methods for giving information, offering a right to refuse or
| requesting consent should be made as user-friendly as possible.
| Access to specific website content may still be made
| conditional on the well-informed acceptance of a cookie or
| similar device, if it is used for a legitimate purpose.
|
| The rest of the GDPR makes it extremely clear that the goal of
| the whole thing is _not_ to mandate some specific solution but
| to force people who run services to allow tracking only with
| _informed consent_ and to offer options that do not track.
|
| If you are not storing data on your users machines or just do
| so for legitimate purposes, you should not have a need to ask
| for a users consent and thus don't have any need a cookie
| banner.
|
| The issue here is, that many people running websites just _don
| 't know_ what they are storing and how. Just slapping a cookie
| banner on that bad boy and calling it a day won't work either,
| because you have to list the purposes of these cookies. If you
| don't know why your weird wordpress template loads a cookie,
| maybe it is time to change it (or alternatively: change your
| profession).
| hugoroy wrote:
| You're quoting the 2002 adopted text's recital.
|
| This is outdated.
|
| The relevant bit about consent and cookies was added in 2009,
| with directive 2009/136 modifying article 5(3) of directive
| 2002/58.
|
| So all you're saying about legitimate interests etc. is wrong
| since 2011 (2009+2 years allowing for Member States
| implementation in national law)
| atoav wrote:
| Thanks for the correction
| privacylawthrow wrote:
| You're wrong. The ePrivacy Directive does require that a
| website get consent before storing information on the end-
| user's device. Prior to GDPR, the local country implementations
| of the ePD allowed for implicit consent in some EU countries,
| and opt-out consent in other EU countries. GDPR redefined what
| constitutes legitimate consent to process personal data.
| Consent that was previously valid under the ePD was no longer
| valid under GDPR, which is why GDPR is about cookies, and every
| other processing of personal data.
| speedgoose wrote:
| You don't need consent to use cookies. You need consent to
| use cookies to track.
| privacylawthrow wrote:
| No. You need consent to store data on an end user's
| machine, regardless of whether you later track that data or
| not, unless such storage is strictly necessary for the
| operation of service explicitly requested by the user.
| swores wrote:
| By that logic the GDPR is "about" fridge magnets because any
| business storing personal data using letter magnets arranged
| on a fridge is subject to GDPR. Sure, often cookies
| constitute/contain personal data, but when they don't they
| are not regulated by GDPR.
| tick_tock_tick wrote:
| Yes, that is correct GDPR as written and as being
| interpreted by the courts covers every aspect of commerce,
| any interaction with another entity no matter how far
| removed, and any observable side effects of said
| interactions even if neither party knows of the third
| parties.
| bduerst wrote:
| I mean, if you're storing user information that isn't
| pertinent to the business with fridge magnets on a slab of
| metal, and the user asks you to take them down, it's a GDPR
| violation if you don't remove/scramble said magnets after
| 30 days.
|
| Method of data storage isn't really specified, but that's
| why it's _General_ Data Protection Compliance.
| belorn wrote:
| Before GDP, the legal consensus among lawyers I asked was
| that consent could be a 30 pages long legal document hidden
| through a 6 pixel text link at the bottom of a page that can
| only be accessed by trawling the website. It wasn't really
| what the politicians that wrote the ePrivacy Directive
| _intended_ , which is why the word _informed consent_ was
| added.
|
| Now if a hidden 30 page long legal document that no one can
| read is consent then I have this bridge I want to sell. It is
| totally legit.
| hugoroy wrote:
| I doubt you actually asked any lawyers who know this stuff.
|
| While GDPR did raise the threshold of valid consent, the
| interpretation before the GDPR was nowhere near what you
| describe here.
|
| There are authority guidelines and sanctions predating the
| GDPR on this.
| belorn wrote:
| I asked a lawyers during a conference that discussed
| privacy and law. I initially asked if a 50 page document
| was fine, which they said was not, but then lowered it to
| 30 and they said "sometimes" without any irony in sight.
| After an additional discussion they said that even if
| people did not read the document or had the ability to
| understand it, it would still count as consent.
|
| I have also talked personally with politicians who was
| involved with the work of writing GDPR, and the people
| who wrote the ePrivacy Directive has reportedly said that
| lawyers interpretation of consent was beyond the
| imagination of the original intent of the directive,
| which is why GDPR now require freely given informed
| consent in contrast to the old consent.
| privacylawthrow wrote:
| You asked the wrong lawyers, at least for the US. The FTC's
| case against Sears in 2009 made it clear that consent to a
| privacy notice isn't valid if the privacy notice is buried
| deep in a licensing agreement, even if the notice is
| correct.
| systemvoltage wrote:
| I wonder what is the GDP cost of millions if not billions of
| people dismissing a cookie pop-up every day, often multiple times
| a day.
| goodpoint wrote:
| That cost should be paid by the companies forcing pop-ups onto
| users.
|
| Popups in no way GDPR's fault. The law does not mandates them.
|
| Instead, it's a form of malicious compliance. Companies pester
| visitors with popup banners that are almost always unnecessary.
|
| E.g. GDPR allows essential cookies e.g. a login cookie
| containing an encrypted token without any popup. If you want to
| notify users about it for extra safety you can show a little
| privacy notice on the login form. No need for popups.
| lbriner wrote:
| I'm not sure it's malicious compliance. When you are
| threatened with massive fines for non-compliance but you
| aren't told explicitly about how to solve it other than, "A
| cookie notice would be a way of complying", everyone will use
| a cookie notice.
| Nextgrid wrote:
| Bad news: those notices will do nothing to mitigate the
| fines, and might in fact even increase them if those
| notices pressure or trick users.
|
| Good news (for the companies): GDPR enforcement has and
| continues being laughable, so you don't have to worry
| either way.
| shadowgovt wrote:
| I'd have a lot more patience with this law if it had come with
| an implementable w3c do-not-track-like signal sites could
| transparently operate on so it didn't wreck the UX for people
| who didn't care (or for that matter, people who did!).
|
| (... which, unfortunately, I guess wasn't "do no track" since
| that pretty much failed, right?)
| martin_a wrote:
| Dismissing cookie notices is just a sign of companies
| outsourcing the cost of being privacy friendly.
|
| They could just run their own analytics tool and you wouldn't
| need any notice at all for basic visitor counting. But
| everybody is craving for that shiny numbers from Google
| Analytics (for mysterious reasons _perfectly_ integrated into
| all other Google tools), easy ad money and whatever metric
| marketing wants to see this month.
| lbriner wrote:
| Please don't make glib statements about what people do and
| don't want. If you don't want the metrics that you get from
| something like Google then that's fine but a lot of
| companies, ourselves included, find the insight massively
| valuable when we are trying to work out which parts of our
| product are or aren't working properly.
|
| Sure, we could roll our own but that creates its own problems
| and doesn't exempt you from cookies notices at all.
| Nextgrid wrote:
| > If you don't want the metrics that you get from something
| like Google then that's fine but a lot of companies,
| ourselves included, find the insight massively valuable
| when we are trying to work out which parts of our product
| are or aren't working properly.
|
| As a user, I don't want to be spied on so that you can
| "improve" your product aka make it more addictive or refine
| your dark patterns. I definitely don't want Google spying
| on me to help you achieve that goal either.
|
| The GDPR making it harder for you to do this means it's
| working as intended and I'm very glad to have it as a user.
| martin_a wrote:
| > doesn't exempt you from cookies notices at all.
|
| Sorry to tell you, but it actually does.
|
| Cookie notices are only necessary when you are transferring
| data to third-parties and there's no technical reason for
| that.
|
| Selling my personal data to some analytics company, and you
| have chosen to do exactly that, is not technically
| neccessary but a very deliberately made decision by
| someone.
| jaywalk wrote:
| That's what browser extensions like Super Agent are good for.
|
| And the fact that we need a browser extension to deal with such
| incredibly annoying and intrusive "functionality" that is
| required by law is just insane.
| oneplane wrote:
| I wonder what is the GDP cost of millions if not billions of
| people flushing the toilet every day, often multiple times a
| day.
|
| We can all make silly arguments, just because something
| requires you to take action, and it might cost money, doesn't
| mean we therefore have to just let late stage capitalism run
| wild.
| systemvoltage wrote:
| If we didn't flush toilets but all of a sudden because of
| some law (directly or indirectly), we started flushing
| toilets; we should be concerned about it. But that's clearly
| not the case here and your analogy doesn't hold up.
| throwaway_sb666 wrote:
| A better analogy was if you were forced to use the toilet
| every time you entered a store you haven't been to
| previously... Just why in the world would I need to take
| part in such a wasteful charade.
| taeric wrote:
| My guess is that it is not a cost. It is a small annoyance, and
| I would be delighted for it to be gone. But... I really can't
| support any argument that inflates the cost of it.
| tacone wrote:
| I really think we should reject the law and make another one that
| requires the browser vendors to provide the appropriate notices
| (think of what currently happens with non-https connections) and
| (browser enforced) choices.
|
| No added work for website developers, no lawyers required, no
| dark patterns. Common icons and warnings the user can recognize
| easily because they would be the same for every website.
| tobr wrote:
| That makes no sense. How is the browser supposed to inform the
| user what they are consenting to? The point of the law is,
| among other things, that you need to have informed consent when
| you process personal information. That's not a technical
| problem that you can solve with a new API. It requires
| organizations to work differently. Unfortunately it seems that
| very few orgs have been willing to put the necessary thought
| and care into this, instead they just slap these cargo cult
| consent dialogs across everything.
| timando wrote:
| Put a cookies.txt (or json or xml or whatever) at the root of
| the website (or use a <link> element) with the name of the
| cookie and what it does. If the cookie isn't listed, the
| browser rejects it.
| akersten wrote:
| Oh the irony of this site itself having a "we use cookies, got
| it?" banner while lamenting this exact perceived lack of choice.
| I always laugh a little when I see those anyway, knowing that my
| browser's settings and privacy extensions are blocking the
| cookies and tracking connections either way.
|
| Did we consider that if everyone is breaking the law, the law
| itself might need a rework?
| oefrha wrote:
| It's a conference submission. It's not like the authors are
| responsible for or affiliated with the usenix.org website. It
| wouldn't be ironic if I published a GitHub UI dark patterns
| study on github.com.
| geon wrote:
| The law is fine. Great even.
|
| It is just that most websites don't comply and developers
| misunderstand it.
|
| You can freely use cookies like we used to do, for session
| id's, shopping carts etc. Once you add stuff to your shopping
| cart, you have a business relationship with the site, and they
| can store cookies necessary basic functionality.
|
| You can not use them to track users on third party sites, or
| store personally identifiable info without explicit consent,
| and in that case, denying consent should be as easy, and not
| affect other functionality, such as blocking content.
| TomasEkeli wrote:
| very much this.
|
| I'm getting so tired of people implying the law is wrong just
| because sites still want to perform the tracking and data
| gathering it intends to limit.
| throwaway_sb666 wrote:
| If the law is right, but not possible to enforce, some
| fixing may be needed
| jjoonathan wrote:
| Everyone and their dog who has been getting away with bad
| behavior is going to take that stance as a stalling
| tactic. It might be true, but either way it's going to
| have a lot of bad-faith weight behind it, so we need to
| make our strategy robust to that inevitability.
|
| I'll default to skepticism but keep my mind open to
| proposals that are concrete and specific.
| throwaway_sb666 wrote:
| Check my other comment:
| https://news.ycombinator.com/item?id=30755527
| miki123211 wrote:
| IMO, the problem with GDPR is the same problem we have
| with a lot of European laws. There's nobody who's
| incentivized to enforce compliance.
|
| If you were able to sue for GDPR violations, either on
| your own or in a class lawsuit, you would have an
| incentive to prove that the violation has indeed
| occurred. As long as your lawyer was working on
| commission, they would share that incentive.
|
| As it stands, all you can do is file a complaint with
| your GDPR office and hope it makes a difference. You
| don't get any money from that, so hiring a lawyer to get
| such a complaint right is an expense you will not get
| reimbursed for. More importantly, the person
| investigating your complaint is probably on a salary, not
| a commission, so they don't personally care about how
| successful they are.
|
| Compare that to the ADA[1], for example, where you
| literally get legal firms looking for disabled Americans,
| finding places that don't comply with the law and suing
| them. Enforcement was partially privatized, and the free
| market, as it often does, found a better and more
| efficient way of enforcing the law than the government
| could dream of.
| LordDragonfang wrote:
| The ADA is the best example of why you need to actually
| give a law teeth for it to be enforced, and how well it
| can work when you do.
| M2Ys4U wrote:
| You _can_ actually sue under the GDPR and get
| compensation.
|
| Article 79 explicitly gives data subjects "the right to
| an effective judicial remedy where he or she considers
| that his or her rights under this Regulation have been
| infringed as a result of the processing of his or her
| personal data in non-compliance with this Regulation"
|
| Article 82 states that if someone has "suffered material
| or non-material damage as a result of an infringement of
| this Regulation shall have the right to receive
| compensation from the controller or processor for the
| damage suffered".
| throwaway_sb666 wrote:
| > Enforcement was partially privatized, and the free
| market, as it often does, found a better and more
| efficient way of enforcing the law than the government
| could dream of.
|
| I'm not a fan of this. You're replacing one kind of dark-
| pattern wielding, stain-on-underpants-of-society,
| predator with another!
|
| You will spawn industries of failed lawyers going after
| the easy money, i.e. clueless everyday people who
| inadvertently misconfigured wordpress and can't afford a
| lawyer when they get threatened with court cases if they
| don't pay the extortion fees.
|
| Just like asshole copyright lawyers under Germany's
| shitty jurisdiction extending their disgusting and
| threatening attacks on everyday citizens around Europe
| who dare to have a personal webpage without being experts
| in copyright law. As with ad-tech, also not the kind of
| enterprises we need to have in our society. Also wouldn't
| shed a tear for that industry to just die.
|
| If you do this kind of thing you need to directly target
| the companies enabling the illegal behavior, not the
| website owners.
| litgab wrote:
| Like with drug dealers?
| throwaway_sb666 wrote:
| Yeah like instead of having them on the street, they
| could have a shop and you could tax them a lot and make
| sure people know what they are getting into.
|
| Same with sharing personal data - maybe not a bad
| parallel :)
| lp0_on_fire wrote:
| > developers misunderstand it.
|
| Then maybe the law needs some adjusting to make compliance
| more manageable.
| krageon wrote:
| If you as a developer are tasked with understanding this,
| you take the time to read the actual rules and then you
| misunderstand it, you are incompetent. But this is not what
| generally happens. Folks don't read, just yolo some
| terrible explanation off of SO and then complain when
| someone tells them they are not compliant. That's laziness.
| Those are the only reasons for noncompliance, outside of
| actual malice.
| alkonaut wrote:
| It can be cheaper to misunderstand it. So long as risk of
| getting fined is low, and the fines aren't higher than
| they are, you aren't really tasked with being compliant.
| You are given a task to implement something in compliance
| but what that means is _as compliant as possible while
| still making sure the business survives, possibly even on
| the same business model_. That latter part isn 't
| explicitly given to a developer in the instructions - but
| it's going to be made clear that if you don't want to put
| up the minimum-effort cookie wall, there is someone else
| that can do that job.
|
| This is why we need a law that people actually fear to
| the point where they would rather switch off the lights
| and take down the sign, than try to put up an off the
| shelf cookie wall that can be configured to have an
| "Accept all" button.
| Teever wrote:
| Why?
|
| maybe developers beed some adjusting to make compliance
| numbers higher.
| lp0_on_fire wrote:
| Because GDPR has been around for a few years and its
| still unmanageable. Laws need to be realistic to make
| compliance easy and widespread. Maybe there needs to be
| resources for training or something. There are lots of
| things you can tweak while still getting the benefits.
| LordDragonfang wrote:
| Compliance _is_ easy and manageable, for the most part.
| It 's just that companies want to still do the things the
| law is trying to disincentivize, and want to put as many
| dark patterns as they can in the way of users avoiding
| it. So the "unmanageable" part is trying to figure out
| how close you can come to breaking the law without being
| blatant.
| rsstack wrote:
| https://en.wikipedia.org/wiki/Desuetude
|
| Three years later, randomly enforced and generally ignored:
| should GDPR-for-anonymous-browsing be regarded as obsolete by
| the EU's courts?
| isodev wrote:
| > Did we consider that if everyone is breaking the law, the law
| itself might need a rework?
|
| I think GDPR assumed companies would like to do right by their
| visitors. I guess the only way to do that is to increase the
| severity of the consequences for violating user trust. GDPR
| itself offers a guideline that many seem to misunderstand...
| you don't need a popup for every kind of cookie.
|
| I'm not against enforcing minimal tracking as default, and
| opting into cookies should be similar to going through a
| purchase flow... because it is one, just using "data" as a
| currency. So yes, convince me to click the "Buy cookies"
| button.
| Ekaros wrote:
| The possible consequences are already sever enough. It is
| just that enforcement is either underfunded or not taking
| active enough action.
| LordDragonfang wrote:
| >GDPR itself offers a guideline that many seem to
| misunderstand... you don't need a popup for every kind of
| cookie.
|
| Cookie banners predate the GDPR, most of them are from the
| "cookie law"[1] that predates it. They're two entirely
| separate laws that don't supercede each other.
|
| [1] https://en.wikipedia.org/wiki/Privacy_and_Electronic_Comm
| uni...
| alkonaut wrote:
| > Did we consider that if everyone is breaking the law, the law
| itself might need a rework?
|
| The law is fine, the enforcement is not. If the enforcement had
| any teeth, then people wouldn't be breaking it. So long as
| managers try to get away with dark patterns rather than just
| take their business off the internet, the penalties are clearly
| not stiff enough. But I'm fine with this taking a few years to
| get in place. It's better to ramp up penalties once the law has
| matured a bit, than to have the kind of business-ending
| penalties I'd like to see, for a very new law.
| throwaway_sb666 wrote:
| > Did we consider that if everyone is breaking the law, the law
| itself might need a rework?
|
| Agreed - IMO, make cookie banners illegal and make 'minimum
| cookies' the default. Done?
| rcgs wrote:
| As much as this may really damage the sector I work in, I'd
| cherish the clarity a stance like this could provide.
|
| There are many businesses trying to be compliant whilst
| maintaining access to metrics their business depends on.
|
| Compliance is very difficult at this time as the legal advice
| is shifting in different territories and there is conflicting
| guidance when you start to dig into it.
|
| Id rather see a selection of activities and tactics entirely
| banned/regulated rather than this directive which is clearly
| too open to interpretation.
| throwaway_sb666 wrote:
| Appreciate the sentiment. Policy changes will probably
| always hurt somebody. The expectation is the the economy
| will realign around new goals.
|
| In this case it's even simpler since a software company
| would like be able to develop a new product with hopefully
| more value to society than the vast majority of data
| collecting companies provide. I'm also not too afraid for
| tech workers being able to find other jobs, although I'm
| sorry for any other collateral damage.
| whatshisface wrote:
| What's the definition of minimum cookies?
| robin_reala wrote:
| Obviously there's no definition, but I'd say a reasonable
| baseline is when a user expects a stateful interaction on
| the stateless medium that is the web. So for example, a
| multistage checkout process.
| throwaway_sb666 wrote:
| Those that don't require opt-out according to the law. Too
| lazy to look up the legal definition right now.
|
| Edit: by law I mean the GDPR.
|
| Edit2: Get rid of the "cookie banner law" entirely,
| actually make it illegal, but require easily found links to
| privacy statement
| andai wrote:
| Necessary site functionality, without the spyware.
| Unfortunately, most websites sites are funded by spyware,
| so the minimum cookies to keep the internet economy running
| would have to include the spyware.
| [deleted]
| throwaway_sb666 wrote:
| Disagree. Let it burn, it's the only way. (change my
| mind?)
|
| This made me think of the Ukraine war, and how the
| sanctions may turn out to be a bigger help to climate
| crisis than any political entity could muster on the
| basis of the impeding climate snafu. Sometimes radical
| action is the right course of action; for
| democracy-(pre)serving reasons our governance systems
| often inhibit change unless most of the population is
| rallied around a specific cause as we see with Ukraine.
| That is the time for radical change to happen, or
| democracies would never progress. End of sidetrack :)
|
| EDIT: I mean, Strong agree with "Necessary site
| functionality, without the spyware. ", but disagree with
| last part
| hutzlibu wrote:
| "This made me think of the Ukraine war, and how the
| sanctions may turn out to be a bigger help to climate
| crisis than any political entity could muster on the
| basis of the impeding climate snafu."
|
| Huh? Here in germany there is talk by politicians that
| climate policies have to stand back now and we need to
| rely more on the coal plants and not close them, as it
| was planned.
|
| I really hope, that the actual solutions will be more
| renewables and nuclear, but I am a bit pessimistic about
| it.
| andai wrote:
| I was just asserting out that a law that banned spyware-
| based advertising would harm the current website ecomomy
| which is largely based around spyware. I would like to
| see an end to mass spying, and therefore the creation of
| a different kind of funding mechanism. That _could_
| indeed be brought about by law, but that seems a bit too
| violent to me. I think what we 're missing is a better
| alternative.
|
| I read an interesting article (from the mid 2000s? Will
| update if I can find it) arguing that microtransactions
| will never work due to the cognitive burden of paying for
| hundreds (or thousands!) of tiny things a day.
|
| Brave's BAT seems to solve this part of the problem by
| automating the payments based on how much time the user
| spends on each site. It would require everyone to switch
| to Brave and use their crypto thing to make it work, so
| it's obviously "suboptimal".
| throwaway_sb666 wrote:
| > I was just asserting out that a law that banned
| spyware-based advertising would harm the current website
| ecomomy which is largely based around spyware.
|
| I think that largely, the website economy is based around
| advertising. I honestly doubt the advertising-centered
| business model would disappear even if large-scale
| tracking did. Would it be less targeted and less
| efficient on a micro-level - yes probably.
|
| But less abusive advertising would also have upsides for
| website owners: Privacy conscious people are increasingly
| blocking all ads, losing them eyeballs. Privacy friendly
| ads may be given a pass.
|
| Right now it's mostly impossible for privacy-conscious
| people to support a website the like by looking at their
| ads. The adtech industry is to blame for this for data-
| raping people. Website owners would benefit from a
| sustainable advertising model, where users don't have to
| make the choice between not contributing financially, vs
| sacrificing their privacy to data leeches. All the
| websites crying over ad-blockers would instead be forced
| to use legal ad networks that don't rely on illegal
| tracking, and people might again be willing to look at
| ads for content.
|
| Brave is an interesting take, but I think the more
| optimal solution is to just ban the practice of tracking
| and shadow-profile building. Problem solved, and I don't
| need to encourage people to install ad-blockers anymore.
| andai wrote:
| >Would it be less targeted and less efficient on a micro-
| level - yes probably.
|
| I remember reading not too long ago that tracking did not
| increase profits! I find that hard to believe because
| once the tracking gets good enough, they actually start
| showing me ads for things I actually might want to buy!
| (Imagine that!) In my experience, Facebook's ads (at
| least on Instagram) show me really cool things, while
| Google (who should know way more about me) shows me
| complete garbage on all its platforms (YouTube being
| worst of all).
|
| Re: less abusive advertising
|
| I'm considering making some (hopefully!) profitable web
| games but I'm averse to putting ads on them. After giving
| it some thought I realized my main objection wasn't
| aesthetics / UX (though that is certainly a concern when
| it comes to "art" -- I want my games to be beautiful and
| ads sort of kill the vibe there) -- my main concern was
| actually running strange 3rd party fingerprinting /
| zombie-tracker / god-knows-what. If it was just a clearly
| labeled affiliate link, eg. <a><img>, that would do away
| with most of my concerns! (And simplify my GDPR
| compliance by just.. not storing anything.. and eliminate
| the need for those horrible banners :)
|
| In general I'm averse to government regulations, but this
| might be a rare case where the alternative (rampant
| spying) is worse... After that, all that remains is to
| get the governments to ban _themselves_ from spying too
| ;)
| alkonaut wrote:
| Showing an ad next to a news article is not fundamental
| to the function of a news site, even if it's how the
| bills are paid. You can't degrade the experience because
| visitors reject cookies. So you can't do a "we'll show
| you the article but only if you agree to ads". And you
| have to make the reject-all-cookies the default choice
| and easier than accepting. It's pretty simple.
| zeruch wrote:
| As close to none as possible.
| zelphirkalt wrote:
| And, to make it even more precise, I would call cookies,
| which are for login, also as non-essential, unless a
| visitor really wants to log in, meaning they navigate to
| the login page.
|
| This means, that be default, I don't need any cookies,
| because I don't want to log in to most websites I visit.
| Only if I want to log in, I have need for such cookies.
| zeruch wrote:
| ...hit the nail on the head. By 'as close to none' I
| pretty much meant "any cookie that isn't about
| authentication and/or holding state of something as an
| authenticated user that would matter"
| teawrecks wrote:
| For each cookie present, an independent third party expert
| would be willing to testify that the cookie is required in
| order for the website to operate as the user expects.
| zauguin wrote:
| Isn't this already the case? Does anyone actually think that
| you give voluntary informed consent to something by being
| annoyed into pressing a button?
|
| No, if you show a cookie banner your users do not opt-in. So
| a cookie banner is pointless since it doesn't actually give
| you permission to store cookies you couldn't store before. So
| we already have the law, we just don't enforce it.
| throwaway_sb666 wrote:
| I agree that a cookie banner is pointless. But they are
| even on government websites, so obviously something has
| gone terribly wrong along they way (hint: lobbyism).
|
| My thinking goes like this:
|
| 1. The law explicitly talks of requesting consent.
|
| 2. Incentives will drive actors to request additional
| permissions if possible (you always get some legal, can
| claim ignorance, etc)
|
| 3. People get constant intrusions wasting our collective
| time and attention on an enormous scale.
|
| The current law is encouraging this type of user-hostile
| behavior. This is stating an objective fact, since the
| current situation is clearly a result of the current law.
|
| If any type of consent-banner or opt-in method is allowed,
| industry groups will lobby for loopholes they can use to
| trick users using whatever mechanism the law leaves at
| their disposal.
|
| Just outright ban the use of cross-site tracking and user
| profiling. We don't have a societal need for this to be
| legal.
| msl wrote:
| > they are even on government websites
|
| Could you give some examples please? I checked all the
| government websites I could think of and didn't see any.
| throwaway_sb666 wrote:
| https://gdpr.eu/cookies/ lol ;-)
|
| https://european-union.europa.eu/
|
| https://www.sundhed.dk/
|
| https://www.securite-sociale.fr/
|
| 4 out of 4 in my case. May I ask which ones you checked,
| I'm genuinely curious, cause I really don't remember
| seeing any official website in the EU without cookie
| banner in many years.
| msl wrote:
| Okay, the first two are pretty hilarious, but as far as I
| can tell, the first one doesn't actually set any cookies
| if you don't react to the banner, and the second one sets
| just this: "{"cm":false,"all1st":false,"closed":false}",
| which seems acceptable.
|
| The other two are trickier to judge, but contain (user?)
| identifiers, which could certainly be used for tracking,
| so I'll have to concede your point.
|
| Edit: I had to recheck some of the sites I'd previously
| checked, as your examples helped me realize that my
| browser does a lot of blocking. It turns out that just
| one of my examples was actually a good one:
| https://finlex.fi/en/
|
| Edit2: Found others: https://www.suomi.fi/frontpage and
| https://vnk.fi/en/frontpage
|
| Both actually do set cookies, but apparently nothing
| requiring consent.
| throwaway_sb666 wrote:
| Terve! Not surprised to see Finland slightly ahead of the
| curve.
|
| I think the default is that most people, professionals
| included, don't understand the law and throw in the
| banner-spam to be on the safe side or because of outdated
| checklists.
|
| I have zero problem with (edit: first-party) cookies,
| only with the web being a horrible UX for 95% of people,
| so hope more official websites can lead the way, so that
| pop-ups can slowly be de-normalized in peoples minds.
|
| Edit:
|
| > https://finlex.fi/en/
|
| Nice find. Also:
|
| https://oikeusministerio.fi/en/frontpage
|
| Can they inform Denmark?
|
| https://www.justitsministeriet.dk/
| anaccountexists wrote:
| The most common use of "tracking" cookies is just to be
| able to count unique views for your site, which I think
| is a perfectly reasonable thing to want to do. Knowing
| the impact of your site is something pretty much every
| website producer (including governments, individuals, and
| businesses) wants to do.
|
| Other examples of where cross-site tracking is useful is
| for preventing online payments fraud. You have a similar
| IRL version of this where your bank will freeze your card
| if it sees purchases being made in different countries
| simultaneously.
|
| Somewhere along the line, counting views or helping
| reduce fraud for customers turned into "store full
| demographic information about someone who never signed up
| for our service", which is where everything went wrong in
| my mind. The cookies themselves aren't the problem, it's
| how they're being used.
| throwaway_sb666 wrote:
| > The most common use of "tracking" cookies is just to be
| able to count unique views for your site, which I think
| is a perfectly reasonable thing to want to do.
|
| Sure, and I don't remember if this is currently legal
| without need to notify/ask, but I think it should be.
|
| As long as the tracking data is legally and technically
| isolated to only domains/apps/devices controlled by the
| same entity... Most people have the expectation that a
| website/business will be able to remember them across
| visits from the same browser.
|
| But people will not necessarily have this expectation of
| being recognized across domains or different devices -
| indeed most people won't know it's even possible - so
| _anything_ facilitating such identify /profile
| correlation should be considered illegal tracking by
| default. The specific technical method of creating the
| correlation should not matter. Honestly this could extend
| to non-web profile building as well.
|
| The exception, of course, is if the user has self-
| identified by logging in.
|
| > Other examples of where cross-site tracking is useful
| is for preventing online payments fraud. You have a
| similar IRL version of this where your bank will freeze
| your card if it sees purchases being made in different
| countries simultaneously.
|
| True, completely agree. There are already blanket
| exemptions for certain uses in the GDPR and those should
| be extended as needed for use cases that have legitimate
| value. Cookie law should be changed so no need to
| ask/inform the user about these use cases other than in
| the website's privacy statement, where such tracking
| should be stated.
|
| Industries handling such tracking data should be
| regulated and audited to ensure proper handling and use
| of the data. Again I think this should be applied as a
| broader principle, and I think for example loyalty
| programs should be also audited to ensure compliance with
| legal uses of the collected data.
| goodpoint wrote:
| > Did we consider that if everyone is breaking the law, the law
| itself might need a rework?
|
| No, GDPR is doing tons of good works.
|
| The whole web is a privacy and security nightmare and we've
| been tolerating this mess long enough.
|
| Many companies are engaging in malicious compliance by annoying
| users with popups and push the blame onto GDPR.
|
| The reality is that 99% of websites need zero cookies, zero
| popups and no logging of IP addresses. The ones requiring login
| can set a login cookie without pestering the user.
| robin_reala wrote:
| Exactly, everyone's still breaking the law, but it's not a
| binary thing. They're breaking the law much less now, and
| they're being much better about documenting the ways in which
| they're breaking it than they were previously.
| aidos wrote:
| Sure, but you have to also accept that there are aspects that
| have made the internet a worse experience without actually
| improving the situation from a privacy point of view.
| mpweiher wrote:
| Yes, there are aspects that have gotten worse, but _all_
| those aspects are companies breaking the law in question.
|
| And no, privacy actually is improving.
|
| And enforcement is ramping up.
|
| We still have a way to go, but we're moving in the right
| direction.
| Nextgrid wrote:
| To be fair, the GDPR does outlaw all the things we find
| annoying with the cookie banners (or rather, data
| processing consent flows, as they cover more than just
| cookies).
|
| The problem is continuous lack of enforcement and distinct
| lack of billion-dollar fines everyone was fear mongering
| about, which allows companies to passively-aggressively
| pretend to comply by making their banners annoying on
| purpose to mislead people into hating the GDPR.
|
| This problem would be resolved overnight (and everyone's
| privacy increased by orders of magnitude, since spyware
| would become illegal again) if those fines actually started
| coming down.
| throwaway_sb666 wrote:
| > The problem is continuous lack of enforcement
|
| Yeah, but it's hard to enforce a law at scale when the
| difference between legal and illegal behavior is not
| obvious to a layperson. The law is too technical.
|
| It also has shouldn't have options where a user can
| simply allow further data collection, since this makes it
| hard clearly say whether a certain practice is legal or
| not, since it "will depend".
|
| This creates more friction to enforcement. If things were
| more clear-cut, enforcement could be automated, and you
| would probably see those fines roll out.
|
| It is harder to say "this software library is illegal to
| use in the EU" if there are certain circumstances where
| it's not.
| mnw21cam wrote:
| > ...the difference between legal and illegal behavior is
| not obvious to a layperson.
|
| GDPR and cookie law is not hard to understand, so that
| excuse is a little bit lame to be honest. Besides, if you
| really need to understand what you must do by law, you
| should hire a lawyer. That's the same as with any other
| law.
| robin_reala wrote:
| Billion-dollar fines can only happen if the company in
| question had a revenue of EUR25B per year and was hit
| with the maximum fine. But either way, enforcement is
| absolutely happening: https://www.enforcementtracker.com/
| has over a 1,000 rulings in its DB.
| Nextgrid wrote:
| It's not enough. That link gets posted all the time but
| it just shows that over 4 years, across _all_ companies,
| the total fine amount is just over 1Bn. How much does
| Google or Facebook profit from non-consensual data
| processing in just a single year?
| endisneigh wrote:
| Fine them all! Europe will collect billions.
| ars wrote:
| And people will just stop providing service to Europe. It's
| already started, there are tons of sites that refuse service to
| Europe.
| FreeHugs wrote:
| I run a website with a few hundred thousand monthly active users.
| I get tons of mails from users telling me how much they love it.
| One unintrusive, smallish Adsense banner pays for everything. For
| years now, everyone was happy.
|
| Now Google sent me an email that they want me to gather user
| consent before showing Adsense. They offer an automatic consent
| modal. But the problem with that one is that it not only displays
| the consent modal but also injects a smaller widget into the
| site. It looks like the widget only pops up when the user scrolls
| down to the bottom of the page. Unfortunately, that also makes it
| pop up when the page is not longer than the screen. So pages
| where the content fits on the screen behave really really shitty.
| Maybe that is the reason why I have never seen it used anywhere.
|
| And of course loading the consent script from Google before
| getting consent is not in line with GDPR in the first place.
|
| Other consent solutions I see around the web are heavy third
| party widgets that do a lot of complicated stuff. And because
| they are third party scripts, they are also not in line with the
| GDPR.
|
| I have not found any indie developers who have implemented their
| own consent solution. And as far as I understand it, Google has
| no communication channel. They just threaten to kick you off
| Adsense. So all I can do is implement my own solution and wait if
| it happens or not.
|
| I started to implement my own consent banner now. Not sure if I
| will get it right so that it pleases Google.
|
| I fear that this whole GDPR thing might be the end of my website.
| dmitriid wrote:
| Ah yes. It's the GDPR that's the end, and not the non-compliant
| and law-breaking implementations from Google and other
| parasites.
| judge2020 wrote:
| > And of course loading the consent script from Google before
| getting consent is not in line with GDPR in the first place.
|
| Only if Google uses that information whatsoever. They'd be on
| the hook if they run afoul of GDPR by collecting information
| when it's obtained before consent happens, and I'm sure the
| enforcement agency isn't going to fault the web admin for
| taking Google's word on compliance.
| dmitriid wrote:
| Web admin is the first person responsible for keeping that
| data safe. If they use a non-compliant tracker, well, they
| are liable as well.
|
| That said, EU is now finally going after the trackers:
| https://techcrunch.com/2021/11/05/iab-europe-tcf-gdpr-
| breach...
| slig wrote:
| Most of your users are from EU? If not, just do what big
| publishers are doing.
| FreeHugs wrote:
| What do you mean? Can you give an example?
| Nextgrid wrote:
| He's saying to deny access to EU-based users, which will
| make it very unlikely that any EU-based user will complain,
| thus (in practice) removing the need for GDPR compliance.
| FreeHugs wrote:
| I am not aware of any big publishers doing that. That is
| why I asked for an example.
| tomatowurst wrote:
| olalonde wrote:
| Given the amount of confusion and conflicting interpretations of
| GDPR we get on HN, I'm not really surprised. Then there's always
| the vocal minority that is fully convinced that GDPR is very
| simple and clear.
| Nextgrid wrote:
| There's a huge amount of misinformation spread around it, and
| not to mention existing online information about the earlier
| and completely stupid "cookie law" is sometimes mistaken for
| the GDPR.
|
| It doesn't help that the GDPR is only really simple if you
| don't abuse personal data. It will obviously become very
| complex when you're hoping to find loopholes do something that
| the GDPR was fundamentally designed to outlaw, and it just so
| happens that a large chunk of this site makes their money from
| this.
| LegionMammal978 wrote:
| > It doesn't help that the GDPR is only really simple if you
| don't abuse personal data.
|
| I'm not sure how helpful this criterion is; there exists a
| large gray area in what people consider to be "abuse". For
| instance, suppose that an EU-based business hotlinks an image
| from a U.S.-based website (or a website hosted on a U.S. CDN,
| or a website operated by a business owned by a U.S.
| corporation). Then that business is at risk of being fined,
| since it has no way of proving that the target website does
| not log IP addresses (e.g., for some DoS-protection suite),
| and if it does, the U.S. government could gain access to
| those IP addresses, which are defined as protected personal
| information.
|
| In this scenario, the EU-based business isn't necessarily
| doing anything nefarious like selling data to advertisers,
| and it could even be refraining from storing any data at all.
| Likewise, a U.S.-based website that stores only connection
| logs isn't necessarily doing nefarious things with those. But
| the former business is still at risk of being fined, since IP
| addresses have been placed under the umbrella of protected
| personal information.
|
| In the discussion a while back of the Google IP-address fine,
| I saw two talking points come up repeatedly: that there would
| have been no issue if Google weren't doing nefarious tracking
| of IP addresses, and that the EU operator must have known
| that IP addresses are radioactive to store or transmit but
| chose to do so anyway. AFAICT, the first is inaccurate, since
| any persistent storage of IP addresses by U.S. operators is
| problematic. And the second, I think, illustrates the real
| tension here: between privacy maximalists who prefer the
| least possible amount of data to be stored in all
| circumstances, regardless of the cost, and everyday server
| operators who fear that using the default settings on their
| software or using seemingly-trivial functionality could be
| introducing legal liability.
|
| I'm still not sure myself about the relative merits of the
| two viewpoints, but much more could be done to assist the
| latter group in following best practices, instead of
| immediately demonizing them as nefarious loophole finders.
| (Not to say that nefarious operators don't exist, of course,
| but I suspect that their prevelance is very easily
| overstated.)
| systemvoltage wrote:
| > completely stupid "cookie law"
|
| It doesn't take a genius to figure out:
| Before GDPR: No cookie banners After GDPR: Cookie
| banners
|
| Who's to blame is irrelevant. Users don't care and the
| effects are real whether it is put on directly by companies
| as an indirect result of GDPR.
| Nextgrid wrote:
| Cookie banners were a thing before the GDPR - the stupid
| "cookie law" aka ePrivacy Directive was a thing much
| earlier on.
|
| The main problem however is the lack of enforcement though.
| None of these "cookie banners" comply with the GDPR, yet
| are allowed to proliferate because nobody is cracking down
| on them, so they're a form of pseudo-compliance that is
| very effective at swaying public opinion against the GDPR.
| throwaway_sb666 wrote:
| Hot take: Only way to undo past damage is to now make the
| cookie/consent banner illegal.
| systemvoltage wrote:
| Good point. If this is not an indictment of the failure
| of GDPR, I don't know what is.
| mariusor wrote:
| I doubt that very much. A lot of the indieweb sites don't bother
| collecting information about their users so they don't need to
| show information pop-ups nor worry about GDPR. I know I don't.
| shadowgovt wrote:
| if your site is running on apache with default logging, or a
| shared host like DreamHost, you are probably not fully in
| compliance with the letter of the GDPR since you're logging IP
| addresses and aren't using them for necessary site operations.
|
| ... especially if the log just grows and grows and never
| rotates. The GDPR is a very wide-reaching law.
|
| Of course, there's no real need to worry since, practically
| speaking, it was intended as a cudgel to beat FAANG with and
| not a dagger to stab indies with. If you're comfortable with
| the safety of your operations being "The folks with legal power
| to enforce won't wield it on _you_ ", you have nothing to worry
| about.
| UnpossibleJim wrote:
| The problem is, they _can_ enforce it on you at any time of
| their choosing should you do something deemed unpopular or
| troublesome. While the cudgel was intended for FAANG, the
| dagger still hangs to stab any indie that gets out of line.
|
| Why would I rely on the kindness of government not to enforce
| a poorly written law?
| shadowgovt wrote:
| Your position is mine, which is why I'm surprised at how
| broad the support for GDPR seems to be around here.
|
| "Broad government power is okay as long as they're clubbing
| the right people" is certainly a mood.
| mariusor wrote:
| I don't think "enforce" means what you think it means. If
| you are contacted about a GDPR matter usually you have time
| to fix it before it's "a violation" that incurs penalties.
| UnpossibleJim wrote:
| It's "squishy" terms in law, like "usually" that I find
| bothersome. Granted, I haven't read the complete
| specifics of all of the minutia when it comes to the
| GDPR, I'll admit. I do keep cookies by default though, as
| a habit, which seems to be in violation of GDPR rules.
|
| Should I start publishing a blog or some such which was
| antithetical to the prevailing party doctrine, that
| happened to gain traction with the public, terms like
| usually _tend_ to go out of the window. Al Capone wasn 't
| indicted on bootlegging after all.
| M2Ys4U wrote:
| Enforcement action must be "proportionate", so even if
| you are pulled up by a supervisory authority it's
| unlikely they're going to give you a massive fine
| straight off the bat - especially if you are _trying_ to
| comply and can demonstrate that.
| UnpossibleJim wrote:
| I think everyone seems to be missing the point of what
| I'm saying, and maybe it's my fault. In the defense of
| the law that people have given to me, so far, the terms
| "Usually" and "Unlikely" have come up. Neither of those
| terms are very satisfactory if I write a critical piece
| critical of the government and am taken to the full
| extent of the GDPR's breadth, with little ability to
| fight it, being a small, independent, self published
| journalist who had a friend set up a server using the
| default Apache settings(this is an example - I am not).
|
| In such a case, a massive fine would not only bankrupt
| that person but would silence such critical dissension
| from occurring in a much needed vocal minority.
| Investigative journalism from non-corporate outlets,
| through non-corporate outlets is a wonderful thing, which
| has become a rarity, and has the potentiality of becoming
| illegal due to clerical mishaps.
|
| While I do understand the necessity of a user's privacy,
| I also understand the necessity of "removing the tumor
| and saving the leg", to borrow a colloquialism. Broad-
| brush approaches have quite a few down-stream
| consequences, which are seldom realized until it's too
| late. We've only to look at "the war on terror" and the
| domestic surveillance that came about in the name of
| "safety" to understand that =/
| PragmaticPulp wrote:
| > A lot of the indieweb sites don't bother collecting
| information about their users so they don't need to show
| information pop-ups nor worry about GDPR.
|
| Not true.
|
| I've spent far too much time with expensive lawyers going
| through the painful details of GDPR compliance and edge cases.
| If you keep logs at all, anywhere, then technically you could
| be at risk of crossing the GDPR. Don't assume that you're free
| and clear because you haven't gone out of your way to add any
| analytics.
| Nextgrid wrote:
| If you keep logs forever, yes you'll be in trouble (though
| probably much less than plastering your website with
| analytics or ads).
|
| Keep logs for a reasonable amount of time (90 days) and
| you'll be fine.
|
| Well, given the current state of GDPR enforcement, you'll be
| fine whatever you do. But lawyers are going to lawyer and
| consent management platforms will be delighted to scare you
| into buying their "solution", even if nitpicking by bringing
| up edge-cases that are unlikely to occur and for which no
| case law exists nor will ever exist.
| trh0awayman wrote:
| The cookie consent stuff has always seemed straight forward to
| me, but maybe I've had it wrong this whole time. It does really
| say a lot that 95% of websites had a violation. I wish that we
| could make the GDPR entirely client-side.
|
| Semi-related: my understanding is that it's impossible for
| American hosting companies to comply with GDPR (due to the CLOUD
| act).
|
| If that's the case, and you're American/using an American host,
| is there any point in even trying to comply?
| notRobot wrote:
| > If that's the case, and you're American/using an American
| host, is there any point in even trying to comply?
|
| It's the user-friendly option. Respect your users. Get consent
| for tracking.
| tschellenbach wrote:
| Government regulation that outsources/hides the cost on consumers
| and businesses needs additional scrutiny. Did anyone analyze the
| full cost of these regulations? It must be insanely high.
| zelphirkalt wrote:
| If those businesses had thought of actual consent to their
| practices before and had acted accordingly, they would not sit
| on a mountain of tech debt now and their costs of becoming
| conform with GDPR would be minimal.
| karaterobot wrote:
| Handy guide to GDPR for web developers:
|
| * You can't set all your cookies first, then ask permission.
|
| * You can't set all your cookies whether the user accepts them or
| not.
|
| * You can't tell users to stop using the website if they don't
| want cookies.
|
| * You can't convince any business owner to follow the above
| rules.
| PragmaticPulp wrote:
| GDPR is about far more than just cookies.
|
| Once you get into it, the GDPR is extraordinarily vague. It
| obviously wasn't written by engineers or even people with
| domain experience. You can easily interpret common server-side
| logging operations as GDPR violations if you're not careful.
| kmeisthax wrote:
| As it should be. The G stands for "General", after all.
|
| If engineers wrote the law, it would have no effect, because
| it would specify the means by which tracking happens (e.g.
| cookies, HTML5 localstorage) but not the act of tracking
| itself; and it would be easy to circumvent. Legal documents
| _cannot_ be precisely specified bundles of English-language-
| shaped computer code; they need flexibility so that the judge
| can actually rule things that make sense.
|
| For example... why _shouldn 't_ server-side logging be
| treated as in GDPR scope? It does not matter if cookies
| weren't used to collect it; an IP address and time pair is
| already enough information to identify an ISP account and
| that's usually enough for lawyers to sue you with.
| goto11 wrote:
| > You can easily interpret common server-side logging
| operations as GDPR violations if you're not careful.
|
| Indeed - if you log client IP, it is subject to GDPR.
| M2Ys4U wrote:
| The clue's in the name, it's the _General_ Data Protection
| Regulation.
|
| The idea is to provide a high level of data protection _in
| general_.
|
| It's _not_ just an internet /engineering law. It applies
| exactly the same in an offline setting as it does on the web.
| lbriner wrote:
| Seems a very patronising response. Personally, I have found
| the GDPR clear and well thought-out. Of course, there are
| some things that are annoying that you have to comply with
| like "IP addresses are personal data" but that is a problem
| with the web, not with the intention and implementation of
| GDPR.
| Nextgrid wrote:
| I'm upvoting this because you are correct that the GDPR about
| much more than just cookies, but I disagree with the
| (perceived?) negativity around how the regulation is vague.
|
| It's designed to be vague because it covers intent and
| outcomes more than specific technical means of achieving
| them. This ensures the law doesn't need updating every time
| there's some new variant of local storage, new browser
| fingerprinting vector, etc and also to prevent offenders from
| trivially working around it using a technicality.
|
| Similarly, enforcement will also be much more about intent
| and outcomes than any specific technical means (well that's
| the theory - in practice neither is being enforced right
| now). Nobody will enforce it based on some technicalities,
| they'll enforce it based on outcomes - if you collect
| personal data and use it to track a user without an
| appropriate legal basis (in this case, it should usually be
| consent), you'll be in trouble regardless of whether you use
| a cookie, a browser fingerprint, or even just save whatever
| search queries they type and use that as a way to reidentify
| them. Conversely, nobody is going to go after you if you set
| a session cookie to persist a login or shopping cart.
| jeroenhd wrote:
| The GDPR is far from vague, the complications come from the
| legalese that was used to write it. Engineers aren't lawyers
| and vice versa. You wouldn't want to develop software thrown
| together by lawyers, and lawyers wouldn't want to work on law
| written by engineers.
|
| It's "vague" on purpose. Had the GDPR banned cookies,
| companies would have switched to fingerprinting. Had the GDPR
| banned JS tracking, Google would've pushed Dart to Chrome.
| It's written that way so that companies can't think of
| loopholes because of the language used.
|
| Most (European) law is written quite vaguely. The vagueness
| allows judges to make the right call rather than become law
| robots. Instead of specifying concrete limits, the law refers
| to the current state of the art. If you let the law decide
| what safeguards are or aren't appropriate, we'd be using 3DES
| and MD5 to this day, because that's what the law says.
|
| We've seen what the EU does when it tries to lay down more
| concrete rules: they're trying to force the EU to manage
| certificate authorities for browsers, which is obviously a
| terrible idea. Crap like that is why we need vague laws.
| bjt2n3904 wrote:
| That's the end result of extremely complicated legislation.
| Everyone breaks it, but you only get caught if you stick out
| enough.
|
| Uncharitably, it's a way for the government to arbitrarily
| prosecute anyone they please.
| throwaway_sb666 wrote:
| More charitably and historically accurate, it's the result of
| hardcore political negotiations with the originally proposed
| legislation watered down due to pressure from politicians and
| governments influenced by lobbyists.
|
| But yeah, the result is too complicated to be effectively
| enforced, sadly. So further reform is needed.
| deugtniet wrote:
| It's pretty well known that cookie-walls are rife with anti-
| consumer patterns. Going to something like formula1.com requires
| me to click more than a 100 times to object to the 'legitimate
| interests' of as many companies. Which is a pretty terrible anti-
| pattern when I don't want to be tracked at all...
|
| After reading the abstract, it seems the authors try to classify
| cookies using a special browser extension called "CookieBlock"
| [1]. I hope they are successful, because I hate being tracked on
| the internet.
|
| [1]https://github.com/dibollinger/CookieBlock
| zeruch wrote:
| I use UMatrix for this (and NoScript) for the granularity
| mpweiher wrote:
| > It's pretty well known that cookie-walls are rife with anti-
| consumer patterns.
|
| Which are _all_ illegal.
|
| The wheels of justice turn slowly, but grind exceedingly fine.
|
| And you can help: if you find an annoying pop up, file a
| complaint with your local data protection agency.
| andai wrote:
| TrustArc's consent popup disappears instantly on Accept All but
| shows a loading spinner for "up to several minutes" if you
| reject cookies. I emailed them about this (because in my
| experience it's only their software that implements such a dark
| pattern), they replied "customer misconfigured our software,
| not our fault" lol.
| throwaway_sb666 wrote:
| Honestly I think the GDPR/cookie consent providers should be
| held equally liable as the website owner for the collective
| violations facilitated by their product.
|
| I think being able to go after the enablers and profiteers
| would make enforcement much easier.
|
| An officially maintained list of legal/illegal libraries and
| services could help website owners to chose a known legal
| solution. Right now it's hard to expect website owners 'do
| the right thing' when there's so much contradictory
| information out there.
| Matticus_Rex wrote:
| If you did that, no one would be in that business lol
| Nextgrid wrote:
| Is that a big loss? I can't picture anyone, outside of
| their employees and shareholders who would be negatively
| affected by TrustArc disappearing overnight. I just
| checked their website and it seems like their _entire_
| business is GDPR _pseudo-_ compliance targeted at
| businesses who can't legitimately comply with the GDPR.
| Nextgrid wrote:
| I wonder if it's a really lazy and terrible attempt at
| accounting for how long the opt-out request would take. Let's
| imagine it has no way to know (because of cross-domain
| restrictions?) whether an opt-out request to a third-party
| succeeds - in which case it simply waits a reasonable amount
| of time for the request to complete. Of course, a reasonable
| time should be a handful of seconds, but I guess at least it
| makes sense that this is configurable and could explain the
| problem.
|
| That's about the only non-malicious reason I can think of.
| cge wrote:
| My understanding is that the preferences should not be an
| opt-out of a default setting per the GPDR, they should be
| preferences that requested and then saved. So surely the
| _opt-in_ setting would take just as long as the _opt-out_
| setting, wouldn 't it?
| ratww wrote:
| The opt-in should technically take more time, since you
| shouldn't be sending PII data _before_ the consent.
|
| In the case of opt-out the only single thing that has to
| happen is setting a local cookie and closing the modal
| window, which are things that also happen when you
| accept.
| andai wrote:
| It's entirely possible that it is the result of
| incompetence rather than malice. Either way, it strongly
| discourages users from rejecting cookies by wasting their
| time for 20-30 seconds every time.
|
| Whatever it's doing can simply be done in the background,
| it doesn't even _require_ UI.
| iso1631 wrote:
| Very few people actively want to be tracked by 500
| different companies. Some don't mind, some consider it
| the price they have to pay
|
| The whole point of the charade of "asking" is to get
| people to
|
| 1) Just say yes
|
| 2) Complain to their government about it
| judge2020 wrote:
| > Going to something like formula1.com r
|
| Not sure if this is because i'm in the states, but 'manage
| settings' has a 'reject all' button for me[0] and it seems to
| work.
|
| 0: https://i.judge.sh/0vCJB/q_nQ34wtjO.png
| Thiez wrote:
| But does that button also reject "legitimate" interests?
| judge2020 wrote:
| Most likely everything with a toggle except 'Required
| Cookies', which are required to make the site work between
| pages (if you want to turn those off you can disable
| cookies for the domain in your browser, at risk of the site
| breaking).
| spiderfarmer wrote:
| Isn't every webserver that uses the standard access.log format
| (thus including IP address) already non-compliant?
| layer8 wrote:
| No. You are allowed to keep such logs for a limited time in
| order to be able to analyze attacks on your web server.
| gyulai wrote:
| It's not true that you don't need to worry about GDPR if
| you're only going to use this information for a limited time
| to analyze attacks. It's a lot more complicated than that.
| Nextgrid wrote:
| Could you explain?
|
| Keeping the information for a reasonable amount of time for
| security or fraud-detection purposes would definitely fall
| under legitimate interest.
|
| I really don't see any bad outcome happening from doing the
| reasonable thing. Enforcement is near non-existent (Google
| and Facebook are still around after all), and when it does
| happen it still very much skews towards assuming good faith
| (even when it shouldn't) so you'll definitely be fine even
| if you get it wrong in which case you'll just be given
| guidance on how to do better.
| layer8 wrote:
| I didn't say you don't need to worry about GDPR, I said
| that GDPR doesn't prohibit keeping such logs.
| gyulai wrote:
| I just jumped in with a clarification to make sure others
| who read this don't think that.
| gyulai wrote:
| > Could you explain?
|
| > Keeping the information for a reasonable amount of time
| for security or fraud-
|
| > detection purposes would definitely fall under legitimate
| interest.
|
| Yes, but not being allowed to collect the data at all is
| not the only way you can fall foul of GDPR compliance.
|
| E.g. you also have to give the data subjects processes for
| getting info about what data you have on them, getting it
| corrected if they want to, getting it deleted if they want
| to. Those are tied to mandatory maximum response times. You
| have to have a data processing register that the regulator
| can ask you to show them. You have to have co-controller or
| subcontractor agreements in place if third parties get to
| see the data in any way. -- There's a _host_ of things you
| have to do.
| alkonaut wrote:
| > E.g. you also have to give the data subjects processes
| for getting info about what data you have on them,
| getting it corrected if they want to, getting it deleted
| if they want to.
|
| A Policy note is standard for most sites. An email
| address or form where users can request their data isn't
| possible for web logs storing IP alone. So long as the
| analysis window for the logs is shorter than the max
| response time to data requests, you can always
| autorespond at the end of the response time window saying
| "Thanks for your request on date D. We have no data
| stored for you from date D and earlier". Which would be
| true since the logs are then already flushed out. The
| paperwork if there is zero real per-user data, zero third
| parties/subcontractors etc. will be pretty minimal
| (thankfully).
|
| This is of course assuming 2 things: 1) that you can do
| all your log analysis in a very short window and 2) that
| you can do it in house and won't send it to a third
| party.
| Nextgrid wrote:
| > you also have to give the data subjects processes for
| getting info about what data you have on them
|
| Nobody is going to do that for _web server logs_ unless
| you associate them with user accounts. If it happens once
| because someone wants to joke around, you can handle it
| as a one-off. You could also decline unless they can
| provide a letter from their ISP certifying that the
| provided IP address is static and has been assigned to
| them for the requested timeframe, both as a way to verify
| the legitimacy of the requestor as well as to deter such
| obviously-malicious requests.
|
| > getting it corrected if they want to
|
| It's web server logs - those are generated automatically
| based on incoming request data; there's nothing to
| "correct" there.
|
| > getting it deleted if they want to
|
| Up to you how you want to handle this (this depends on
| whether you need those logs). If you're keeping them for
| legitimate interest for a certain period of time, you can
| just refuse, and you can obviously refuse as above until
| they go through a (admin-intensive) process of actually
| proving they have owned this IP address for the requested
| timeframe.
| gyulai wrote:
| I quite agree with you that it would be highly
| unpractical to set up that kind of system around access
| logs. For that reason, the sensible thing to do is to not
| have IP addresses in your access log.
| gyulai wrote:
| This is a very poor default, and I think it's a good thing that
| the legal environment challenges that default.
|
| It's not automatically non-compliant, of course, but you might
| have to clear some legal hurdles to make it so.
| globalise83 wrote:
| What about a wiki system + workflow tool for documenting all GDPR
| infringements on every website of interest with auto-submission
| of a complaint to the regulatory agencies?
| ffhhj wrote:
| Is the PHPSESSION cookie valid for GDPR? Or should we replace it
| with a token?
| M2Ys4U wrote:
| Is it strictly necessary for the provision of your service?
| Then the ePrivacy Directive says that it's okay.
|
| Otherwise, you need consent.
| skaul wrote:
| Brave has an option to block cookie notices - you need to enable
| the "Filter obtrusive cookie notices" list in brave://adblock.
| https://twitter.com/shivan_kaul/status/1488989740690853888
|
| We're experimenting with blocking cookie notices by default in
| Nightly. There's webcompat risk - some websites just break if you
| block the cookie notice. "Works on 90% of websites" is just not
| good enough when deploying to 50 million Web users.
| Loeffelmann wrote:
| Isn't there insane money to make just suing everybody in breach
| of gdpr? I always thought there were laywers scouring the
| internet in search of a quick buck.
| delusional wrote:
| I don't think you really "sue" anyone for breaching GDPR. I
| think you report it to the local authorities, and then they
| pursue a case.
|
| Basically I don't think there's any money for the lawyers to
| pick up here.
| M2Ys4U wrote:
| > I don't think you really "sue" anyone for breaching GDPR. I
| think you report it to the local authorities, and then they
| pursue a case.
|
| You can.
|
| Article 79 explicitly states that data subjects have a "right
| to an effective judicial remedy where he or she considers
| that his or her rights under this Regulation have been
| infringed as a result of the processing of his or her
| personal data in non-compliance with this Regulation.
|
| Article 82 also states that "any person who has suffered
| material or non-material damage as a result of an
| infringement of this Regulation shall have the right to
| receive compensation from the controller or processor for the
| damage suffered."
| delusional wrote:
| As to the theory, I stand corrected!
|
| As to the practicality of suing for violations, how would
| you quantify "damaged suffered" from saving a cookie in my
| browser?
| mimsee wrote:
| Remember GDPR is a general law about data collection so
| it could be anything, not necessarily cookies.
| M2Ys4U wrote:
| >As to the practicality of suing for violations, how
| would you quantify "damaged suffered" from saving a
| cookie in my browser?
|
| The GDPR does not regulate cookies at all, at least
| unless they are a form of processing of personal data, so
| you wouldn't be able to sue for that.
|
| It's the ePrivacy Directive that deals with cookies (and
| storing/accessing other data on your devices), and that
| lacks any sort of private cause of action, at least at
| the EU level. Directives (unlike Regulations) have to be
| transposed in to domestic law in EU member states, so
| depending on where you are there _might_ be a private
| enforcement mechanism, but I doubt it.
| Ekaros wrote:
| Specially in EU where largely we do not go for punitive
| awards. Fines yes, but not punitive awards...
| redler wrote:
| It would probably be some very large number backed by a
| theory like "this violation has deprived the plaintiff of
| their ability to fully control the disposition of their
| private information and activities, thereby creating
| permanent direct and indirect risks whose damages to the
| plaintiff's income, income potential, business,
| reputation, and family are limited only by the malevolent
| collective imagination of an unbounded pool of
| individual, institutional, or governmental adversaries."
| fsflover wrote:
| https://www.enforcementtracker.com/
| [deleted]
| Pungsnigel wrote:
| Wouldn't that just end up in the hands of whatever government
| is relevant? I believe the fines you pay for GDPR violations
| are paid to governments, not users or suers.
| M2Ys4U wrote:
| Administrative penalties (those levelled by the supervisory
| authorities) do go to the state, but one _can_ receive
| compensation for damages caused by infringement of rights
| under the Regulation.
| legitster wrote:
| Part of my job is to maintain GDPR compliance for corporate
| websites. Even for companies that legitimately want to exceed
| compliance, you would not believe how much of a pain in the ass
| it is.
|
| The first company wanted to do it "right". So we enabled opt-out
| by default for all cookies. Which requires setting an anonymized
| master cookie to check everytime we load a webpage to see if we
| are allowed to set other cookies. And since IP-detection was not
| allowed, we did it for all website visitors. And because we have
| to remember your settings, we had to create a seperate anonymized
| database outside of our normal website.
|
| And the website broke ALL THE TIME. Product configurators,
| shopping carts, forms, downtime detection - all this stuff relied
| on cookies. And for several months the web team had a constant
| nightmare of customer complaints about broken stuff.
|
| In the first year we ended up spending close to $250k on legal
| advice from European lawyers, and most of the advice boiled down
| to "you're not going to get in trouble if you just do what
| everyone else is doing". Seriously.
|
| Since then it's gotten better - most third party vendors have
| done a better job of offering anonymized cookie versions of their
| products. Or there is just more industry guidance available on
| what kind of cookies can be considered sufficiently anonymous.
|
| For people who claim GDPR compliance is clear and straightforward
| - I can't believe they actually have much experience working in
| Privacy. Actual implementation gets... very opaque. Especially
| when the law says it's illegal to deny service based on their
| cookie preference, but some services are literally impossible to
| provide without a cookie of some form.
| andyjansson wrote:
| > some services are literally impossible to provide without a
| cookie of some form.
|
| You seem to be under a misapprehension about what GDPR is
| about. It is not about cookies, it's about PII.
| legitster wrote:
| At this point it's largely semantics. The ePrivacy directives
| were included in the same piece of GDPR legislation. And when
| people talk about GDPR they are talking about both.
| LinAGKar wrote:
| The GDPR isn't about cookies, it's about personal data. You can
| still use cookies for functional stuff, like keeping track of
| the shopping cart on the client.
|
| The problem here is that companies have an ingrained culture of
| taking the easy route and just grabbing all the data they can
| without regard to privacy, which now comes back to bite them.
| privacylawthrow wrote:
| I'm a privacy lawyer that has worked on cookie consents for a
| number of commercial websites. Everything you said here is all
| too true. The real legal answer in a lot of cases is "Do what
| everyone else is doing. Don't be an outlier. Use industry tools
| because if there's a problem with an industry tool, they'll go
| after the tool and not its users."
|
| The comments about cookies not being part of GDPR are grossly
| wrong. One of the early discussions in the privacy law
| community was how to handle the collision of the new consent
| requirements under GDPR with the fact that the ePrivacy
| Directive requires consent for cookies. Prior to GDPR, a large
| number of EU jurisdictions allowed for implicit consent through
| a variety of actions, like scrolling a page, or non-actions,
| like seeing a banner and not clicking "no". GDPR redefined
| consent and that's why cookie banners pop up.
| belorn wrote:
| As lawyer, could you make an argument how consent can be
| given by a person if they haven't read the legal document,
| the other party know that the person has not read the
| document, and even if the person had read the document they
| would not understand it because of its language, complexity
| and size.
|
| To put it in other words, if we used the same definition of
| consent in any other legal contexts that also require freely
| given informed consent, would the legal system still
| function?
| bryanrasmussen wrote:
| > Especially when the law says it's illegal to deny service
| based on their cookie preference, but some services are
| literally impossible to provide without a cookie of some form.
|
| To clarify what others are saying here - it is illegal under
| GDPR to deny service based on people opting out of providing
| PII in the cases where that PII is not needed for providing the
| service, not for refusing to accept cookies (although, sure,
| there can be some relation between these things).
|
| If for example you were providing a service where you sent
| someone emails on their birthday with autogenerated Love from
| your AI Momma messages it would not be illegal for you to
| refuse to provide them access to your service if they opted out
| of you storing their email and birthday, because those two
| pieces of PII are needed for the service to work.
|
| That said, most services do not need to store any PII for any
| length of time to work. Thus if a service says you can't read
| our medical advice column unless you allow us to store all this
| stuff we just hoovered up from your browser forever, that would
| be illegal. Because they don't need any of that stuff to show
| you the article they already have written and ready to go.
| tempnow987 wrote:
| Yeah, anyone who says GDPR is "easy" is just lying through
| their teeth. It really is folks who have not actually had to
| implement or try to implement anything.
|
| The best is they claim (falsely) that you don't actually have
| to pop-up the consent dialogs. Not really true on almost any
| actual website that does anything anyone wants.
| legitster wrote:
| I think it's easy to comply with GDPR if you run a website
| that doesn't offer any services or generate any income. I
| have to believe this is where a lot of these type of HN
| comments come from.
| tempnow987 wrote:
| Even then it's actually not easy. You embed a youtube
| video? You host a font on a US CDN? There are TONs of
| gotchas even for the "free" sites. And then if you actually
| are running a business online - and want to let folks do
| almost anything, better get the pop-ups popping!
| elevatortrim wrote:
| GDPR is easy when your only income is what your users pay you
| and you are not interested in their personal data. My company
| barely changed some internal documents and that was it.
| alkonaut wrote:
| > Product configurators, shopping carts, forms, downtime
| detection - all this stuff relied on cookies.
|
| Yes? Are you saying that when people reject your cookie
| consent, you block the cookies that are fundamental to your
| product? Why would you do that?
| oblio wrote:
| Growing pains.
|
| Like Neo being unplugged out of the Matrix.
|
| It takes a while to learn to respect privacy when all you knew
| was information = ads = $$$.
| legitster wrote:
| Our company didn't engage in any ad or ad networks. But the
| cost of compliance is the same.
| oblio wrote:
| I understand, my point is that nobody has really thought
| about this in detail, so you can't just plug in libgdrp to
| avoid the legwork, like you do with libjpeg or libffmpeg.
| bduerst wrote:
| Yeah this sounds more like change management issues with the
| tech rather than steady-state problems. Changing anything is
| hard, but what about after the change?
| jjoonathan wrote:
| Right, as with the cookie laws companies seem to have
| collectively come to the idea that "they can't catch us all!"
|
| So far they seem to be correct. I would really like to see the
| courts deal a few black eyes over this, I hope this tool can
| help.
| shadowgovt wrote:
| I'm not sure what lessons the rest of the world should have
| taken from the US's "war on drugs" (or, for that matter, the
| US's prohibition before it).
|
| ... but "If you pass the law that outlaws a wildly-popular
| behavior, most people will stop that behavior" probably wasn't
| it. Law can bend behavior on the margins. It just encourages
| rule-breaking when you try to drive it like a spike through the
| middle.
| vanviegen wrote:
| Enslaving people used to be wildly popular behavior as
| well... So do you propose we stop trying to bend society into
| something less bad?
| shadowgovt wrote:
| In my country, we didn't end that practice without a civil
| war.
|
| I think that story is an excellent example of the limits of
| the coersive power of law. Even though the goal is
| righteous, the law may be the wrong tool to achieve it.
|
| What alternative tools can be deployed on this topic?
| Nextgrid wrote:
| The law has yet to be enforced properly and consistently.
| Enforcing the law would be a good start before
| considering alternative options.
| shadowgovt wrote:
| Is the issue of consistent and proper enforcement a "Quis
| custodiet ipsos custodes" issue, or a lack of resources
| to police / monitor / enforce issue right now? IIUC,
| enforcement must be "proportionate," but that's a pretty
| anxiety-inducing word in a law unless there's either
| solid precedent to establish what that word means or an
| oversight board.
|
| And if the issue is that they're under-funded, I agree
| with increasing resources to proportionate to the need to
| properly enforce the law. Coupled with proper
| proportionate penalties (including warnings for good-
| faith efforts to compliance, making the law a bit more
| like online speeding tickets than the 20-million-euro
| minimum penalty suggests it should be), it may be able to
| adjust behavior.
|
| On the other hand, I'd expect the resulting behavior
| adjustment magnitude to be in the realm of speeding
| tickets (with the occasional reckless-driving for, say, a
| FAANG mass-harvesting data). Maybe that's good enough for
| the goals though.
| jjoonathan wrote:
| Wait, they criminalized it? I thought it was just fines for
| shitty behavior. Fines for shitty behavior I can get behind.
| "We were used to getting away with it" is a poor excuse that
| gets poorer every day. But yeah, making it criminal is too
| far too fast. Assuming they've actually done that.
|
| EDIT: they haven't, "shadowgovt" just overstated the
| comparison. No, I do not believe that getting away scot-free
| with shitty behavior today entitles anyone to get away scot-
| free with shitty behavior tomorrow.
| mpweiher wrote:
| > So far they seem to be correct.
|
| Not really. Just recently: _GDPR enforcer rules that IAB
| Europe's consent popups are unlawful_
| https://news.ycombinator.com/item?id=30176712
|
| This is going to require some time, and thus some patience.
| Nextgrid wrote:
| I don't agree with the approach for obvious reasons, but he's
| not entirely wrong either. Even that ruling doesn't change
| anything - the IAB was fined a token amount, the others get
| off scot-free and can keep the profits earned over 4 years of
| illicit data processing.
| mpweiher wrote:
| Quite the opposite, the ruling made clear that trying to
| outsource the risk to a third party doesn't work.
|
| "All data collected through the TCF must now be deleted by
| the more than 1,000 companies that pay IAB Europe to use
| the TCF. This includes Google's, Amazon's and Microsoft's
| online advertising businesses."
|
| And if they don't comply with that...
| Nextgrid wrote:
| > And if they don't comply with that...
|
| How are they going to find out? Are they mandating source
| code & database audits?
|
| If it took them 4 years to take action on something that
| was pushed in every web user's face several times per
| day, you're probably looking for a few millennia for them
| to take action on something only a few hundred company
| insiders are aware of.
| jjoonathan wrote:
| Nice! Hopefully they keep up the pressure.
| tick_tock_tick wrote:
| I mean this clearly is still being worked out as consent
| popups are a requirement of the law but the enforcers and
| courts don't seem to like that fact and are getting very
| creative in there interpretations to avoid the explicit
| requirements of the law.
___________________________________________________________________
(page generated 2022-03-21 23:01 UTC)