[HN Gopher] Implications of Global Privacy Control
___________________________________________________________________
Implications of Global Privacy Control
Author : danielskogly
Score : 66 points
Date : 2025-03-16 09:50 UTC (13 hours ago)
(HTM) web link (developer.mozilla.org)
(TXT) w3m dump (developer.mozilla.org)
| casenmgreen wrote:
| Any takes on this from someone who knows about it?
| anticristi wrote:
| I work as a Data Protection Officer, which is a legal role
| under GDPR, and am rather unimpressed by GPC. I could whine for
| a day, but among the most problematic issues: It's not clear if
| "Sec-GPC: 0" should be interpreted as:
|
| 1. "no" to collect personal data under GDPR consent; or 2.
| "objection" to collect personal data under GDPR legitimate
| interest or; 3. "no" to retrieving and storing data on a user
| device (e.g. cookies, localStorage); or 4. A linear combination
| of the above.
|
| Personally, I think we should simply fine the heck out of all
| websites until they all feature a "Reject all" button. No need
| for browser vendors to propose standard which at least one
| browser vendor can't be bothered to implement.
| jeroenhd wrote:
| "Sec-GPC: 0" is invalid. The value can only be 1, and that
| explicitly cannot be changed in the future according to the
| spec.
|
| This makes GPC a flag that means "unknown" or "opt-out".
| There is no "please share my data with your newsletter
| company" value, there can only be "do whatever the default is
| for sharing my data with any company you partner with".
| andreasmetsala wrote:
| > Personally, I think we should simply fine the heck out of
| all websites until they all feature a "Reject all" button.
|
| Personally I'm tired of cookie pop-ups on websites, a reject
| all button does nothing to solve the actual problem. If a
| users browser can somehow communicate the preference so we
| don't need to click on pointless stuff then wouldn't that be
| optimal?
| jm4rc05 wrote:
| in a era when google and openai ask to circumvent copyrights,
| what's the point?
| fmajid wrote:
| The point is you'd have one browser setting that would make all
| the obnoxious cookie consent pops disappear. Making laws is one
| thing, enforcing them is another, however.
| broken-kebab wrote:
| I think cookie consent is a different story. GPC would mean:
| "Under the GDPR, the intent of the GPC signal is to convey a
| general request that data controllers limit the sale or
| sharing of the user's personal data to other data
| controllers".
|
| It doesn't preclude a website from storing cookies, and
| therefore doesn't relieve it from the obligation (at least in
| the EU) to show an obnoxious popup
| bad_user wrote:
| Under ePrivacy, websites only need to show a cookie banner
| when they are doing spyware shit. There are exceptions to
| this, but generally speaking you don't need a cookie banner
| for functionality that the user expects. As one example,
| you don't need a cookie banner for a login cookie or for
| storing the user's preferences.
|
| While the law has flaws, it's very frustrating to see
| people misinterpreted it, instead of reaching the correct
| conclusion that the vast majority of websites are spyware.
| And that it's not EU's law to blame, but rather standard
| internet practices related to analytics and the serving of
| ads.
| jm4rc05 wrote:
| and google's chrome will never ever ignore blocking own
| cookies, at least while they can
| roenxi wrote:
| > The main problem with DNT was the lack of legal and regulatory
| backing it received. Website owners could decide if they'd
| observe the DNT signal and there were no legal repercussions if
| they chose not to. This is where GPC is different.
|
| This sounds like an attempt to regulate the entire internet.
| drpossum wrote:
| So what do you refer to all the other stuff that is accepted as
| "the internet" but is not websites?
| pessimizer wrote:
| Ideally it would be an attempt to regulate more than that. If
| I've set a flag that indicates a preference about the use of my
| personal information that I have some legal right to demand, I
| want it enforced. You don't get to ignore my request because
| _internet._
| whatshisface wrote:
| It's just an extension of copyright, which already regulates
| the entire internet. You should have the copyright over your
| mouse clicks, plus 100 years after the death of the author.
| throw10920 wrote:
| How is GPC an extension of copyright?
| whatshisface wrote:
| _Laws_ for GPC are an extension of copyright, that prevents
| companies from selling works that (in theory) belong to us.
| IshKebab wrote:
| It's no more regulation than GDPR. They're just trying to make
| GDPR less insanely annoying.
|
| But given the EU's track record I give this a 0.1% chance of
| success.
| JimDabell wrote:
| I don't think this article does a good job of explaining what
| this achieves.
|
| > Web users want to have more autonomy over their data. They want
| to know who has it, where it's going and why, and they want to be
| able to consent to how their data moves between parties.
|
| > It's up to the developer/business to decide how to treat the
| signal, for example, removing the user's details from third-party
| tracking or marketing, following a similar procedure as to when
| users opt out of sharing data for marketing purposes. If in CCPA
| jurisdiction, the signal must be observed to avoid legal
| repercussions.
|
| Okay, so assuming a user has this enabled in their browser
| settings, and they register on a website. They tick the box that
| says _"Add me to your mailing list"_.
|
| Common sense would indicate that ticking of the box overrides the
| browser setting. So I can share their details with my mail
| service provider. So by default opt-out and asking for their
| permission to opt-in is compatible with this setting, right?
|
| Except now apply that logic to the mess of _"we respect your
| privacy, click here to allow sharing your data with our eleventy
| bajillion trusted partners"_ popups on so many websites. So,
| again, by default opt-out and asking for their permission to opt-
| in. So this setting does absolutely nothing to stem that tide?
| What's the point of it then?
|
| Also, how does this tell the user _"who has it, where it 's going
| and why"_? All I see is a boolean flag.
|
| > At the time of writing, the Attorney General for California has
| recommended observation of GPC to comply with CCPA. There are
| also intentions to work with the European Union's GDPR
|
| By default opt-out and asking for their permission is already
| required by the GDPR, so what is being worked on here exactly?
| jeroenhd wrote:
| > Common sense would indicate that ticking of the box overrides
| the browser setting
|
| In theory, the /.well-known/ file could have its timestamp
| updated to reflect to the browser that the situation has
| changed and the user may perhaps need to make another choice.
| In practice, every website with trackers will just always
| pretend things have changed and browser controls will be
| useless.
|
| > Except now apply that logic to the mess of "we respect your
| privacy, click here to allow sharing your data with our
| eleventy bajillion trusted partners" popups on so many
| websites. So, again, by default opt-out and asking for their
| permission to opt-in. So this setting does absolutely nothing
| to stem that tide? What's the point of it then?
|
| This is why I prefer what Microsoft attempted to do with P3P
| instead. Of course no website ever bothered implementing it,
| but Microsoft came up with a protocol to at least list a
| display privacy policies for every partner website.
|
| If browsers came with UI to manage which trackers the user
| accepts by default, with specific website overrides of course,
| this mechanism could be extended to in-browser privacy popups
| that can have their defaults be "no, fuck off" without the
| ambiguity.
|
| The protocol could even be extended to permit the website to
| request changing the sharing setting, for instance when you
| sign up for a newsletter. As long as the UI is gatekept enough
| (say, once per x minutes after user interaction, up to y
| parties at once, otherwise the notification will be a little
| icon in the URL bar), it might just automate away the entire
| cookie popups.
|
| Of course you'd need to convince the EU and California to
| declare these protocols as mandatory, but I think that's going
| to be a lot easier with a protocol where users have more choice
| than with this unary GPC header.
| prerok wrote:
| What I think they will do is just prevent you from registering?
| You want to register? Disable the flag.
|
| The same as with the "do not accept". If you do not, they will
| nag you endlessly until you finally do allow the cookies.
|
| I mean, we just can't win :(
| onli wrote:
| The article ignores that the DNT header already had some
| regulatory backing, as in court decisions saying it ought to be
| respected. https://www.datev-magazin.de/nachrichten-steuern-
| recht/recht... references such a decision against LinkedIn.
|
| Instead of using that, this new proposal seems to be exactly the
| same thing, just with more work for website hosters (having to
| add nonsensical files to /well_known/) and claims that this time,
| the regulatory backing will be good enough. Bullshit. They could
| have just tried to enforce the DNT header now, with the new
| regulations and the old case law. Instead they ripped it out of
| Firefox.
| jeroenhd wrote:
| DNT failed because advertising and online stalking companies
| refused to abide by it when browsers enabled it by default. The
| GPC spec tries to work around this by having the spec disable
| the feature by default.
|
| This new spec is necessary because American legislation
| requires opt-out signals not to be the browser default. That
| means DNT, as browsers used it, is not legally an opt-out
| signal, because browsers default to it.
|
| What this is doing is throwing out the header that had legal
| backing in Europe for a slightly worse copy that hopefully has
| legal backing in America in the future.
|
| It's a silly specification, but if it gets companies to
| actually respect this iteration of the DNT spec then I'll
| accept it.
|
| As for DNT, Firefox may have removed it but addons can still
| set it. As useless as that may be, because the spec is marked
| as outright deprecated (https://developer.mozilla.org/en-
| US/docs/Web/HTTP/Reference/...), you can still send the signal.
| salawat wrote:
| Allowing assholes to continue being assholes is the crux of
| the problem. Companies ignoring DNT on as a default should
| have been met with massive punitive fines and liability.
| Instead, we're not doing anything to curtail the behavior.
| inetknght wrote:
| > _American legislation requires opt-out signals not to be
| the browser default_
|
| Can you site the legislation stating that?
| luckylion wrote:
| Wasn't this just microsoft back in the day that enabled it by
| default, and they were already a small player at that point
| (Chrome was the leader and even Firefox had more market-share
| back then iirc).
|
| In other words: "browsers" didn't make it the default, one
| small browser did.
|
| And so if _any_ browser, whatever tiny percentage they might
| have of the market, will make this new proposal the default,
| advertisers can again say "see? totally unreasonable, we
| won't follow that".
|
| But it being made default by Microsoft was never the problem,
| ad-companies just didn't care.
| joker99 wrote:
| There are dozens of ways how browser devs could make it
| default, without making it default - by way of malicious
| compliance. Example: The first time the browser is opened,
| display a big fat page asking "DO YOU WANT TO BE TRACKED &
| SURVEILLED ON THE INTERNET??? NO (highlight in nice colour) /
| YES (add dark pattern here) / learn more (in tiny font)".
| Pretty sure most people would click "NO". Every couple of
| weeks it could pop up again with a similarly phrased question
| "ARE YOU SURE YOU STILL DON'T WANT TO BE TRACKED?" but this
| time with a nice UI element where the user can specify that
| the answer to this rhetorical question will stay the same for
| the next n days/months/years/decades/centuries/millenia.
| colingauvin wrote:
| I was pleasantly surprised to learn that my state passed a law
| requiring businesses that serve 50k or more residents here
| respect this setting and opt me out of tracking by default.
| greatgib wrote:
| Do I understand correctly that this means that browser will have
| to do yet another useless request to domains or website to know
| the GPC status in addition with the request required to retrieve
| the ressources ? In addition with OPTION requests that already
| have to be done?
| jeroenhd wrote:
| OPTION isn't always necessary, there are ways to prevent those
| requests.
|
| Also, the GPC request will probably only be sent when you
| enable GPC, which basically means "almost nobody".
| nimbius wrote:
| these web frameworks for privacy always give me a chuckle. DnT
| didnt work, why would this?
|
| Advertising is an economy worth more than 7.4 trillion USD. it
| has evaded _most_ attempts to regulate or restrict it in any
| meaningful sense in the 21st century. the GDPR serving as a
| bureaucratic organ to which advertisers must subscribe, or
| quietly ignore with all but the most modest and encumbered window
| dressings for the illusion of choice by the user.
|
| you cannot restrict, limit, control, or meaningfully impact a 7.4
| trillion dollar economy with a voluntary framework. this market
| rivals the GDP of many developed nations. it will simply spend
| its way out of any legal problem. there exists no fine that can
| tame it.
|
| The only thing you can reasonably do in the face of something
| that evades even governments themselves, is to ship a built-in
| version of uBlock and noscript, and a blacklist of advertising
| provider DNS, that is enabled by default for the user. make
| cookies whitelist-only, and make counter-fingerprinting
| technology default.
|
| you must do things that cause, as an organism, marketing and
| advertising agencies to recoil in terror. DoH is a good example,
| which rallied nearly every telecom provider in the US to lobby
| the federal government until Mozilla and others acquiesced to
| letting them join the club.
| jeroenhd wrote:
| If the CCPA does indeed interpret this as an opt-out signal,
| those 7.4 trillion are going to be at risk of a whole lot of
| (class action) lawsuits. The spec is trying to make itself
| applicable as an official, regulated signal. DNT couldn't,
| because Colorado (or more likely, a large donation by those 7.4
| trillion dollars) decided that an opt-out cannot be the
| default.
|
| The stupidest thing is that Google actually got in trouble for
| trying to restrict third party cookies by default. The UK
| competition watchdog agreed with advertising companies that
| Google making such a decision would be abuse of power and bad
| for competition. That's why they came up with this weird
| alternative ad system where your browser tracks your interests
| and shares them in request, so that ad companies can shut the
| fuck up about it.
|
| Once Google is forced to sell Chrome to a third party, I hope
| third party cookies will finally be disabled by default.
| tbrownaw wrote:
| > _because Colorado (or more likely, a large donation by
| those 7.4 trillion dollars) decided that an opt-out cannot be
| the default._
|
| A setting left at the default value does not indicate that a
| person has taken action to express a preference.
|
| It's not a bad thing, or proof of bribery or regulatory
| capture or whatever, if some jurisdictions decide to formally
| recognize this reality.
|
| > _The stupidest thing is that Google actually got in trouble
| for trying to restrict third party cookies by default. The UK
| competition watchdog agreed with advertising companies that
| Google making such a decision would be abuse of power and bad
| for competition._
|
| From what I recall, Google was trying to grant themselves a
| unique privileged position where _Google and Google alone_
| would be able to track individuals across sites.
| hedora wrote:
| > _The GPC signal will be intended to communicate a Do Not Sell_
|
| So, there is no tracking opt-out like DNT had.
|
| Do Not Sell is classic regulatory capture: It allows incumbent
| players to continue their current bad behavior, and directs
| revenue streams from smaller players (data brokers) to existing
| monopolies.
|
| Also, this opt out won't interfere with Mozilla's recently
| acquired ad business, which uses user data to sell ad real estate
| (invading their privacy with obtrusive ads).
|
| (Sorry for the awkward sentence, but they claim it is a privacy
| preserving technology that doesn't gather or sell user data, and
| there's no way to be doublespeak compliant without using tortured
| grammar.)
| weare138 wrote:
| This article is intentionally misleading:
|
| _The main problem with DNT was the lack of legal and regulatory
| backing it received. Website owners could decide if they 'd
| observe the DNT signal and there were no legal repercussions if
| they chose not to. This is where GPC is different._
|
| ....
|
| _What to do when receiving a GPC signal
|
| It's up to the developer/business to decide how to treat the
| signal, for example, removing the user's details from third-party
| tracking or marketing, following a similar procedure as to when
| users opt out of sharing data for marketing purposes. If in CCPA
| jurisdiction, the signal must be observed to avoid legal
| repercussions._
|
| So what's the difference? Without regulations, which is the real
| issue here, all this is meaningless just like DNT was. The system
| is solely based on trusting the site to comply. CCPA only applies
| in Europe. None of this would apply to users in the US but the
| article disingenuously implies it would:
|
| _At the time of writing, the Attorney General for California has
| recommended observation of GPC to comply with CCPA_
|
| That is not legally binding in any way. This is just DNT with
| extra step being sold as something it's not. I fail to see how
| this will benefit the user while making it harder for users to
| block trackers and advertisers. A site can't prevent you from
| blocking it's cookies because cookies are stored locally through
| the context of the browser. Site's can't prevent users from
| blocking, deleting or modifying cookies.
|
| But GPC signals are sent via HTTP headers. Sites could prevent
| users from accessing the site by detecting if GPC is disabled by
| the user in the browser just by checking the HTTP headers,
| forcing users into sharing information with the site to be
| allowed to access the site.
| TZubiri wrote:
| I'm an absolite outsider to this, I use edge and would use chrome
| if need be.
|
| It seems to me like mozilla appeals to paranoid users who don't
| pay for software and also don't want to see ads, and in exchange
| insane demands and revolt is placed upon them.
|
| One thing you learn when providing services is that the demands
| don't ever stop. The more you provide for free, the more demands
| you get.
|
| Would not want to be in this space, let's normalize paying for
| software, then you wouldn't need to worry about alternative
| monetization schemes.
| throw10920 wrote:
| I don't think that Mozilla is saying you should provide service
| for free. If GPC is turned on, the website can just pop up a
| paywall, no?
| 1vuio0pswjnm7 wrote:
| For a while now I have been adding a "sec-gpc: 1" header in the
| forward proxy (client/browser agnostic). Thus, at least one
| person is using it.
| JimDabell wrote:
| Unfortunately because this is rare, it's a strong signal for
| fingerprinting and helps people track you without your consent.
| 1vuio0pswjnm7 wrote:
| Maybe I can use the GPC header as a way to let advertisers
| track and target me with exciting offers. Perhaps they can
| create a "fingerprint" from the three headers I send:
| Host+Connection+GPC, as I request web pages with netcat or
| tcpclient through a localhost-bound TLS forward proxy. I use
| these clients on a daily basis for making HTTP requests. I read
| HTML with a text-only browser. I do not use DNS when requesting
| www pages. The needed IP addresses are stored in the proxy's
| memory. For some reason I never see any ads.
|
| Unfortunately, the sec-gpc header does not seem to be working
| as I have not received any advertisements after I started using
| it. Perhaps I have to manually request the ads and send the
| telemetry since I am not using browser that auto-loads
| resources or runs Javascript. Maybe I need to put the IP
| addresses for the tracking and ad servers into the proxy's
| memory.
|
| Meanwhile, I am missing out on whatever products, services and
| campaign drivel the advertisers might show to people who use
| netcat/tcpclient and send only three HTTP headers. No doubt all
| the online merchants using text-only e-commerce platforms must
| target some amazing offers to all the online shoppers using
| netcat/tcpclient.^1 Someday maybe I too can receive them.
|
| 1. IIRC, funnily enough, there is a commandline "e-commerce
| solution", i.e., online store, that has been shared on HN
| before, perhaps as joke.
___________________________________________________________________
(page generated 2025-03-16 23:01 UTC)