Ask HN: A way to adblock “we're using cookies” popups?

668 points by rayalez ↗ HN
Whatever the intent of the GDPR was, the practical result is that now I have to click away the annoying "we're using cookies" popup on every website.

Is there any way to do this automatically? If there isn't - there should be. Maybe people should use some special tag for them, so that it would be easy for users to block them on all the websites, if they want to.

349 comments

[ 3.2 ms ] story [ 353 ms ] thread
That is the way, but there's no need to install an extension just for it. Just add the IDCAC filter list to uBlock Origin (uBO settings => Filter Lists => Import, at the very bottom):

https://www.i-dont-care-about-cookies.eu/abp/

Also on that same page you can enable some of the 'Annoyances' filters. Just be aware that some of them block social media buttons (FB/Twitter like/follow embeds), which you may not want.

Isn't uBlock Origin an extension?
Yes, but uBlock and can do everything IDCAC can do, and more, so there's no point in having both installed.
Sure but what if you only care about cookie warnings and use site that are supported by ads?
Tangential question, but I would love to know if a group of people who prefer ads but not cookie warnings exist? Do they rank supporting the website above minor inconvenience of pop-ups and advertisements? That's gotta be a unicorn in terms of internet users.
Uh, I'm in this group.

I think that if I'm visiting a website and using its bandwidth, the website ought to get paid. If the ads are too egregious, then using the website isn't "worth the cost" and I go to a different website.

I do however pay for Scroll[1], and I use Firefox's Enhanced Tracking Protection. Due to the latter, many websites think I'm using an adblocker and complain, which really irks me.

---

1: https://scroll.com/

You'd be surprised if you knew how indoctrinated teens get in terms of not blocking ads on their favorite youtuber's channel.
I like ads. Instagram story interstitials are very enjoyable ads.
You don't support the website by seeing ads. The only reason why anyone is paying for ads in the first place is because it affects the bottom line. So if you just see ads and don't buy the things they are pushing, the price that advertisers are willing to pay will decrease over time.

Only when you make a purchase based on an ad are you supporting anyone. At that point you should just buy the better product and support the website by sending them money instead of buying a shitty product that has advertising priced in.

Whitelist the good sites? Given that the vast majority of sites run garbage and/or intrusive ads, auto-playing videos, etc. and I don't really care about supporting most of them, a blacklist-first approach makes sense and I just whitelist the very few on which I'll accept ads.
Technically speaking, uBlock origin is not strictly an ad blocker. It is a general purpose content blocker; it will block whatever content is matched by its block lists; and it happens to ship with ad lists enabled by default.

Of course, practically speaking it doesn't just "happen" to block ads; that's a major motivation for its development, and so we usually just refer to it as an ad blocker.

To answer your question directly: if you want ads and no cookie popups, disable the ad lists and enable the cookie popup list.

Yes, at that point you may as well just install the other addon, but the uBlock method preserves a key advantage: the ability to combine multiple cookie popup block lists. This is useful in case several people are making lists that cover different corners of the internet.

Using sites that are infested by ads is the very reason to use an ad blocker.
For some people. Others don't consider advertising to be evil.
You'd still be better to use uBO since it's the more actively developed software.
True, but IDCAC is more focused on cookies.
You can use sites that are supported by ads just fine with adblock. Why couldn't you?
It blocks ads, so the sites can't produce content.
Not sure why, but unfortunately using that list in uBlock Origin (latest Firefox 77) does not produce the same result as using the "I don't care about cookies" extension;

Example website for which blocking the cookie popup does not work with uBlock Origin: https://tweakers.net/

I don't get any cookie popup on that website, without the IDCAC extension or filter list. I'm only using the opt-in 'Annoyances' filters in uBO.
That's odd; it appears they are using a different cookie 'popup' depending on the browser/OS...?

I tested on Ubuntu and macOS with the latest Firefox (clean profile) and Chromium and i get the cookie popup/wall, even with ALL default uBO filter lists enabled, and also with the IDCAC list enabled in uBO. Screenshot: https://imgur.com/jcr4EuP

However i just tested with https://www.browserling.com/ which uses Windows 7/Internet Explorer 11 and here i do not see the 'cookie popup/wall' but instead i see a blue 'cookie banner' (which is easier to block with uBO.)

That's weird. I'm on Linux but enabled privacy.resistFingerprinting in about:config, which sets the user agent to a standard Windows one (same as Tor Browser iirc) and also brings over a bunch of other Tor Browser features. Only downside is it reduces timer precision which makes some games lag, so occasionally I have to turn it off for a bit.
I figured it out... they are showing a different cookie banner/cookie wall depending on the origin country of your public ip :)
(comment deleted)
That chrome extension has quite a memory footprint and seems to slow everything down... Haven't debugged, but my browsing sessions have been a lot less laggy since I disabled it...
That's the reason I disable it and install Ghostery instead. uBlock Origin makes youtube videos stutter at about the 2 second mark on my Raspberry Pi 3's (I don't know about the rpi 4's because I remove uBlock and install Ghostery as a default nowadays) and also my laptop, which runs Windows instead of Linux (so it's not just an OS issue.)

Ghostery doesn't have as many bells and whistles, but it does greatly minimize the main annoyances out there, and it doesn't slow anything down noticeably.

It might all be a moot point by this time, since Youtube has changed how they load in such a way that it stutters no matter what because it is so busy downloading absolutely every item on a page all at one time instead of prioritizing the video stream like it did about a decade ago (back when you could pause a video and it would download fully even while not yet playing, thus avoiding the bottlenecks altogether...).

Ironically that puts me back to pausing everything first just to give all the useless off-screen crap enough bandwidth to load without ruining the video experience.

No matter how much faster technology gets, they find a way to make it more and more sluggish every time.

Try disabling generic cosmetic filters in uBlock.
Ghostery is the one which reports your browsing history to advertisers (by default/opt-out), and also shows advertisements of its own.

Not recommended over uBO.

https://en.wikipedia.org/wiki/Ghostery#Criticism

I haven't seen any ads, except Twitter's sponsored posts. It is possible/probable I set the right setting back when.

Since Youtube chokes anyway nowadays (I did manage to stave it off for a few years), I might as well go back to uBO.

Even with uBO, Twitter's ads still show up for me.
The ads I get on Twitter are at least related to my interests, and sometimes are new things that are right up my alley (like new Rasbperry Pi gizmos, and that Turing Tumble game), so I don't even mind. They must have a lot of advertisers to be able to be that specific.
You may have better luck using vlc / mpv to play YouTube videos on the pi.
For the record, this section of Wikipedia seems pretty outdated. Ghostrank has been removed from Ghostery in 2017 after Cliqz acquired Ghostery and the extension was open-sourced.

(Disclaimer: I worked there at the time)

> uBlock Origin makes youtube videos stutter at about the 2 second mark on my Raspberry Pi 3's

If uBO is really responsible for this, you should probably check the box "Ignore generic cosmetic filters" in "Filter lists" pane. For instance, this is the default in Firefox for Android, I consider it's best for less powerful devices.

I'm going to try that. It's definitely uBO because when I replaced it with Ghostery, the problem was gone. That's the same on all my pre-rpi4 devices and my laptop. If that fixes it, I'm surprised they don't just set it up that way by default in Raspbian.

But now it'll be hard to tell, because Youtube has changed the way it downloads stuff in the background without prioritizing the stream. uBO definitely blocked a whole lot more noise than Ghostery does.

If you are already using ublock origin go to settings > filters list > annoyances, turn on easylist-cookies.
And for the ones that still pop-up, you can manually filter that DOM element and save it on your rules.
Ya, and it seems like about 20% of sites use cookielaw.org, so filtering out that domain is a good start.
I am amazed, at how much that annoyed me, too - and why I never bothered to find out, that ublock origin has this as a hidden feature. Awesome. I just also turned on all of the other annoyance settings. Is there a good chance of real content getting removed, on occasion, or do they work quite good?
I have had all list except the extra languages lists enabled for a couple years now. Online fast food ordering sites (e.g. Chipotle) are the only ones I've noticed get broken.
It's pretty easy to make your own, too. I use the element zapper and picker to block Reddit's incessant demands that I use "new" reddit and get a "premium" membership. I also use it to block Facebook's "trending" bullshit.
Either an element zapper or a one click sticky-header killer should honestly be standard issue features in browsers nowadays. The web would be a miserable without them, especially on mobile.
I'm just concerned that's inviting an arms race where unwelcome page elements get randomized CSS namespaces. Fuck that noise.
In that case we could just match by the CSS rules' content - i.e. match all elements that have style X, Y, Z applied to them. That kind of arms race would be over real quick.
The arms race is that the next time you come back to the page, the offending element has a slightly different style (randomized CSS class name, RGB values changed by 1, font size changed by 0.1...) and your browser doesn't recognise it as being the right element to block.
Whitelist, not blacklist.

Which whould break CSS minifiers, but that's the point.

Match by ranges so changing values by 1 doesn't work. At the end of the day a human would have to come up with an entirely alternative style for the page to defeat your filters.

Pretty much any machine generated variations can also be defeated automatically by a machine. If defeating your filters takes a lot of work, and only helps until a few days later you update your filters in a few minutes, nobody is gonna bother.

You can have filters that look at parent or child elements of the randomized element or other patterns.
I hate to tell you this, but we're already there.
That's already the case with sites like Twitter. In order to remove the trending pane in uBO, I had to rely on a11y attributes:

##div[aria-label="Timeline: Trending now"]

And random structure to break nth-child selectors.

Even better: draw everything in a canvas.

I activated all the options in uBlock Origin a couple months ago and didn't miss anything so far. Of course when I visit a new site it's hard to know, but the few times where a site was obviously missing some content it turned out to be broken in general.

So I would say the filter works pretty well, I didn't get a single popup of any sort ever since.

> Is there a good chance of real content getting removed, on occasion, or do they work quite good?

Yes, I sometimes get some real content removed. If something looks strange, I temporarly deactivate uBlock. Last time it was a GDPR checkbox at a store checkout.

Normally I disable ublock if I'm actually buying something from a website exactly for these sort of issues.
Or just use a different browser/Firefox-profile which still has uBlock Origin installed but with only the default filter lists...
Wow. Thanks, this was massively irritating.
OMG. Why have I been wading through the interweb of annoyance all this time?

It’s amazing how much of a difference this makes. I was starting to find the web so hostile. Every page an annoying battle with cookie pop ups.

I am so genuinely happy

Thanks. This should be turned on by default.
That would place the plugin authors in a potentially dicey position legally-speaking.

The publisher is trying to adhere to a law (for better or for worse) by giving the user visibility into technologies and data usage.

A plugin hiding that by default can lead to all sorts of nastiness.

Hiding the popup simply means the site cannot legally set unnecessary cookies. Which they don't if you just ignore the popup or click its close box. That's effectively all the plugin is doing, so it's a perfect solution. It might annoy the site owner, because they would really like you to click "Yes" but it's perfectly legal for them to never get that "Yes" and just never send you cookies.
> Which they don't if you just ignore the popup or click its close box.

The majority still sets the cookie, by using implied consent. In best case they don't set anything if you Decline but most don't even do that. The banner is then merely an information popup about cookies in general.

Example: https://news.ycombinator.com/item?id=23523294

Yes so the website owner is in a dicey legal position, not the plugin author.
Yes, but the statement that simply ignoring the cookie banner will result in no cookies being set is still wrong. The reason being that almost no sites are compliant.
They are violating the law. There is no implied consent, except in the mind of people whose income depends on there being such a thing.
I know. I'm not saying it's compliant.
This is fantastic, can't believe I've not used that setting before...
I was doing it manually every time like this ;

Right click on ad / pop up -> Block Element ( a rule is automatically generated ) -> Create. Voila ! You might have to do it 2-3 times for the same element as it might have several layers. But then you're done and you haven't been forced into clicking "ok"

( With uBlock Origin )

Does this automatically remove the element and give no feedback to the site, always give the site permission to set cookies, or always deny the site permission?
I haven't tested but, as far as I'm aware unlock origin never sends anything back to a site, it just blocks content so I expect that it would just remove the element with no feedback.
tldr; uBlock Origin removing the html element containing the "we use cookies" banner is effectively the same as clicking "OK" or "Accept", even without notifying the site/server. If there are any exceptions, they are extremely rare.

---

Long answer:

The vast majority of sites that show the GDPR "we use cookies" banner remember you clicked "OK" or "Accept" by setting a boolean value, either in its own cookie or as a key-value in your session cookie's storage (whether stored client-side or server-side). The ONLY thing the boolean does is determine whether or not to show the banner. That's it. I've never known of a company or site that changes the privacy/retention behavior of its features based on clicking "OK" or "Accept".

As I understand it this solution doesn't follow the law, as users are supposed to be able to decline cookies and somehow still maintain state; the lawmakers don't understand a session is necessary for things like logins, so of course companies compromise with a simple banner that you need to accept/dismiss to "grant permission". When was the last time you saw a "Decline Cookies" button? If you click it, does the site work as expected? Answer: probably not, or the site uses the same cookie/session strategy anyway without telling you.

Source: I've seen dozens of such implementations, and they're all the same. If the cookie/session value indicates not to show banner, then the layout/view simply skips outputting the banner. No other line in the entire code base ever reads the value of that cookie/session.

I have been increasingly seeing cookie banners that provide more options than just the typical "Ok" or "Accept" buttons, such as a more restrict cookie tracking configuration. Not sure if selecting the more restrict config will have any effect in those sites though, besides just hiding the banner in future visits.
> users are supposed to be able to decline cookies and somehow still maintain state

GDPR only applies to non-essential tracking & advertising cookies. Login cookies are always allowed, and you don’t need a banner to state that you use those.

Which sounds a lot like the "DNT" (do not track) or Microsoft's "P3P" (Platform for Privacy Preferences Project) headers. Which both failed, because if companies were required to respect those standards, all advertising and tracking would be extremely easy for users to opt out across the board as a single global preference.

The problem is that each site can choose its own text to display, which buttons/options it shows, and how those settings are supposedly enforced. This doesn't belong in the html of a site. This is exactly what a cross-browser preference should be doing. Which should probably be a modern–and most importantly standardized equivalent–of the P3P header. Every site should have a static set of options it can request, so users are used to accepting or declining the same set of permissions regardless of the site that is visited. Otherwise agreeing to the per-site cookie banner is just as convoluted as expecting users to read Terms and Conditions policies. I have never read the text in a cookie banner, and I never will. I click the OK/Accept button immediately, just like any T&C/ULA.

Imagine if requesting webcam, microphone, notifications, or gps/location permissions were possible by a site including its own custom banner, and if you clicked OK/Accept, it immediately got access to those features. Of course browsers don't allow this, because sites would abuse it and trick users into granting permissions when not desired. Instead, your browser provides a standardized prompt for requesting such permissions. There is no reason for tracking cookies to be exempt from being required to follow the same model.

The trick of the GDPR vs those browser technologies is that there’s actually regulation because obviously the industry can not be trusted to self-regulate.

Indeed, there should be an enforced UI, but that’s not how the EU tends to regulate on privacy, and without EU regulation none of the companies currently trying to entirely ignore the GDPR will use it. They have put out guidance that some current attempts at pretending to comply are illegal, and I expect to see fines regarding that in the next couple of years - the difficulty is creating a solid case that isn’t going to undermine the GDPR through case law. I wonder, though, if there were a dirt simple API for consent in the browser, whether independent developers who would honestly like to comply would use it.

Is this true? What about shopping cart cookies, especially as a 'guest'? Does that need Cookie op-in, legally?
"the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent."

If the site's using a common framework, convenient and essential uses will be combined in a "session id" cookie which needs re-developing, or just slap a cookie warning on it.

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...

We can look to the GDPR text itself to answer that. Is the cookie there in order to create a profile with other information in order to identify a natural person. If yes, then the company is required to treat that cookie identifier with the same care and requirements as other sensitive personal data like social security numbers, passport numbers, personal ID numbers, and so on.

Law is fuzzy by nature, but it seems pretty clear that a shopping cart cookie is exempted from needing consent. Functionality of services that are expressly requested by users do not need consent, and in this case we have users that want to put items inside a cart in order to buy it. If that creates a profile on the server, and that profile is combined with other information, and then used outside the scope of the customer relationship, then we are moving into the area where consent is needed.

We can draw a parallel to data collected offline. A person go to a store and talk to a sales representative about buying a product and having it shipped home. At what point do the sales person need to ask for GDPR consent? The answer is likely the point where the sales person saves a profile of that customer on the computer, and the profile is intended to be used outside the context of that purchase.

Thank you - clear breakdown there!
> as users are supposed to be able to decline cookies and somehow still maintain state; the lawmakers don't understand a session is necessary for things like logins

The lawmakers do understand that, you are allowed to use sessions and cookies for essential tasks like tracking login state, and no popup is necessary in this case.

I wouldn't be shocked if you are correct and many devs are indeed completely ignoring the legal requirements here, but that may be in part due to developers not understanding the legal requirements or believing incorrectly (as you seem to) that the requirements are not technically feasible.

A simple, GDPR compliant solution would be a tickbox for "remember me across visits" next to the login form. If ticked you get a persistent cookie, if unticked just a temporary session that goes away when the browser is closed. No popup is needed.

You don't need a tickbox either if it's just a login cookie.
Thank You. This is new to me.

If login Cookies are allowed, and your login site already has your profile hence your Ads preference. Why do they still need to use cookies banners?

Just in case they get sued.

..while their ads preference dialogue has pre-checked options which is clear violation of GDPR...

IANAL. It's not about cookies per se, it's about your information and what it's used for. If your information (e.g. a unique ID) is used for something you want (e.g. login), that's fine. If they want to use your information (could be the very same information, i.e. your unique ID / user profile) to track you, advertise to you, sell your profile to advertisers, ... they need extra consent for that.
Legally I haven't given affirmative permission so they're not allowed to track me. The same if I just ignored the cookie banners (which is what I did... until 2 hours ago when I saw this post).

Practically I assume most of the sites are breaking the law, because that's how I expect webdev's to think and because most of the cookie banners aren't nearly up to spec to satisfy the law so I assume they aren't being that careful.

The Irish data privacy regulator recently did a sweep of 38 Irish websites, reviewing for cookie compliance. Two-thirds of websites were found to be relying on "implied consent" and 37 were found to set unnecessary cookies on landing before consent was given. Overall only 3 websites were rated as "substantially compliant."

Further reading: https://www.dataprotection.ie/en/news-media/publications/rep...

Every site involved will say compliance is too difficult or whatever.

What I wonder is, if you're not going to bother being properly compliant, why bother adding a GDPR banner at all?

Because your boss has a boss who has a legal adviser who tells him they have to have the appearance of meeting the requirements of the law/regulators. Compliance theatre. They all know it's smoke and mirrors but it ticks a box in someone's board meeting agenda.
Because there's a huge difference between being "blatantly non-compliant" vs "properly compliant".
If GDPR starts to be enforced, they’ll go after the low hanging fruit first.

You don’t need to be compliant, just more compliant than the worst.

I suspect most sites will get a warning first. I have a website myself with Google Analytics and I've never added a banner myself, I'll wait for the warning first, and I expect my users to have blockers installed if they're privacy-conscious.
Thank you! I can't believe I haven't looked into that until today. I could not care less if a site uses cookies, but the notice was always super annoying.
Thank you, I wish I had known this 5 years ago.
Or cookie consent block list https://www.i-dont-care-about-cookies.eu/
I also like No-Thanks: https://www.no-thanks-extension.com/ €9.85 for the year

>>>

"No, thanks." - what's that?

Tired of newsletter pop-ups? Chat, feedback and contact boxes? "Install our app" toolbars? "Allow notifications" pop-ups? "Let us know your location" pop-ups? Survey and opinion pop-ups? "Rated by", "Protected by" and similar boxes? Toolbars offering website translation? "Back to top" buttons? Sticky video boxes in the corner?

Install "No, thanks." into your browser, choose what you want to hide and clean your precious screen space!

Yup, I use this one as well, and it's fantastic. The developer is a nice chap as well, and can give you an invoice for your donation.
On a related note is there a good plugin that blocks those annoying "would you like to subscribe" type floating popups? I feel like we've gone back to 1996 with those things. Often when I get one of those my first gut reaction is to leave the site rather than search for the "X" button, but now almost every site has them.
When shopping though those newsletter sign ups often give you 10% off.
For those using Brave browser: Go to brave://adblock and select "Easylist-Cookie List - Filter Obtrusive Cookie Notices"
It must be the sites I go to, but I've always had this enabled, and I still get plagued with Cookie requests. :(
You're my hero, thank you so much! I never even knew about these settings.
One downside is that some apps refuse to work until you make a choice in the cookie pop up. So if you hit a site like that you need to:

* Pause your blokcer

* Reload the site and accept/deny cookies

* Resume your blokcer

Thank you.

There are numerous sites I go to regularly incognito to log in as an admin vs. end-user: several have low-profile, low-contrast cookie warnings which disable all other menus until you acknowledge them (without an apparent overlay). Just that little extra bit of friction every day adds up.

I’ve always thought this should be a browser feature. It would be more useful than the DNT header, anyway...
I think of websites as just programs that run on a platform, a browser, which has a much smaller API than an operating system but effectively is one.

On the one hand, these notices are akin to EULAs some programs make you click through when you first run them. We're more desensitized to those now, but they were never mandatory.

On the other, I can't remember the last time an app maker got in trouble for keeping track of what users do. I can see it making sense to know that a single entity has been tracking you through a diversity of websites, but you enabled cookies in your browser for a reason. The site I deliberately chose to download and run the code of shouldn't need my permission to save state for that site.

Android prompts you when an app needs permissions. OSX has started promoting you for permission the first time an app wants to access the filesystem. Seems a bit arbitrary to make websites handle that.

This is what happens if browser vendors don't solve the issue with technical measures, being too afraid to break things.

(Not surprising, given that a the largest one, being or close to being a de-facto monopolist, has conflict of interests on the matter of user tracking and profiling.)

We get a legal solution which is poorly understood, has weird unintended side effects (because it was made by non-experts) essentially breaking things (just... non-technically), and doesn't really prevent the bad actors from continuing what they did.

This issue can't be solved purely with technical measures, unless you're willing to accept major loss of functionality. The GDPR is fine, enforcement is what's awful.
1Blocker for iPhone filters most “we’re using cookies” annoyances.
We should encourage the EU to remove this ridiculous requirement.
That is part of the ePrivacy Regulation (https://ec.europa.eu/digital-single-market/en/proposal-epriv...) which was supposed be implemented at the same time as the GDPR, but got stuck because of (so far) successful lobbying by advertising companies:

Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.

> The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers.

Browsers have provided this functionality for 10+ years. Why the law didn't target the user/browser level instead of the website level is beyond me.

The browser knows that the cookie exists, but it has no way of knowing how the server is going to use it, or what the cookie is actually for. A single cookie might even be simultaneously both, and force the user to accept cross-site tracking in order for the site to work correctly.

I guess there's complication zero-knowledge proofs that could solve this problem, but they're too slow right now.

>The browser knows that the cookie exists, but it has no way of knowing how the server is going to use it, or what the cookie is actually for.

There was a standard for that, too. https://en.wikipedia.org/wiki/P3P. There's no reason why something similar can't be implemented now.

Browsers don't have a way to block tracking cookies without collateral damage.
(comment deleted)
Wouldn't that defeat the purpose of having the choice to not allow sites to save a truckload of cookies on your computer?

If anything maybe we should encourage having a "master preference" set in the browser, something like DNT (but not so easily ignorable) that just tells all websites on the user's behalf to only allow the absolute minimum number of cookies needed for the site to function. A small message on the bottom of the page could give more details or allow manual changes.

The choice is programmatic. You can disable cookies on your browser. You can delete cookies you don't want. Done.
The thing is, this is not only about cookies, despite the cookies being the poster child for it.

The regulation applies also to all sorts of analytics, fingerprinting, behavior tracking, user tracking, etc., which is far more prevalent and problematic than simple cookies.

How do you "delete" that?

We can still establish that cookies are fine and outright fingerprinting/tracking is not, this isn't even that difficult because on a technical level cookies are the optimal option privacy-wise, in the sense that users have full control over what data is being stored, and to whom it is sent. The problem is that not everyone is aware of this choice and most browsers don't provide safe defaults.
Some web admins have no choice if their CMS sets cookies. Theres plenty of content management systems that do just this.

OctoberCMS for example sets a cookie for every user and there's no way of turning this off, and lots of WordPress plugins just don't care with no option to disable this behaviour .

So most banners are just a notification rather than a choice. e.g. Continue to use the site and you automatically opt in. Which is not the intended goal for the law.

> Some web admins have no choice...

Of course they do, or one of their superiors does. Computers are physical devices that do what their operators tell them to do; it’s entirely reasonable to hold the operator responsible for what the computer does at their request. That includes the overt behavior of any software they choose to run, and they always have the option to choose different software or, in the extreme case, unplug the server and discontinue service.

>Some web admins have no choice if their CMS sets cookies.

Then the solution is simple: Stop using those CMSes.

>So most banners are just a notification rather than a choice. e.g. Continue to use the site and you automatically opt in. Which is not the intended goal for the law.

That is breaking the law. Generally, people should not do that.

What’s wrong with DNT? Just need some judge to determine that DNT means there is no consent given.
The problem is that ticking the DNT box will probably have absolutely no effect. At this point we can safely consider it dead. It barely ever saw any adoption, it was easily and "legally" ignored anyway, Apple dropped support for it more than one year ago, and even the W3C DNT working group was dissolved.

Now we have GDPR which is legally enforceable (officially) so we could use the technical implementation that can automate applying it.

(comment deleted)
EU doesn't require these BS popups. Both GDPR and the earlier "cookie directive" (the ePrivacy directive) only require user consent before setting cookies (or using other similar technologies, not only cookies) that have privacy implications (e.g. user tracking, advertising) - and then that consent can be also managed by other means, there is no requirement to have such a popup.

Normal cookies required for the functioning of the website - e.g. session tracking, user input, etc. are exempted and don't require user consent.

See for ex. here (the official cookie guidelines for EU institutions' websites): https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies

Don't blame these BS popups, interstitials, click-through wrappers etc. on Europe, that's purely site operators' laziness, legal CYA (force these wrappers even where not required) and greed where various analytics and tracking cookies (which do require consent) are being deployed.

The penalty for screwing it up is 20m euros or 4% turnover - why is it not surprising that devs play it safe? This is entirely the laws fault for driving this behaviour.
That is not correct. This is the penalty for wilfully screwing it up, and refusing to engage with the regulator when challenged. The most likely outcome of being reported is some advice from the regulator about how to comply.
> This is the penalty for wilfully screwing it up

It isn't incidental that the penalty for being accused of willfully screwing it up is quite high: having to defend oneself against a 20 million dollar judgement.

By now it should be known that doesn't happen.
Says who? Even if it doesn't today, what authoritative source says it won't tomorrow?

You can't act surprised when people drive 55 in a 65mph zone because 'no one gets a 20 million dollar ticket for accidentally doing 5 over.'

It's simply how things work in countries that aren't failing like the USA. Your paranoia is unfounded.
Yup you are right, it is definitely every website with a cookie banner that's wrong. Can't possibly be the result of regulation which protects important things like privacy.

When the world disagrees with what you think should be happening the problem is not with the world but with your understanding of it.

"Eat shit! Millions of flies can't be wrong." I prefer critical thinking over appeals to the majority.
> 'wilfully'

subjective and at the discretion of the accuser.

There's a saying somewhere:

Simple rules give rise to complex behaviour.

Complex rules give rise to simplistic behaviour.

So you think the law shouldn't make a difference between murder and accidents either?
I absolutely blame the EU for this. The job of any political organisation isn't just to blindly regulate, but to predict the likely response of the regulated industry, including in a worst case scenario.

I worked in web dev when these regulations were introduced, and any idiot could see that most companies would take the laziest, safest route to complying with them, in a way that would put a massive burden of inconvenience on the user.

If the EU was competent, they wouldn't have needed warning about this outcome. But they were warned, again and again and again. They chose to ignore it and screwed over their constituents for nothing.

The majority of these are not compliant either way because they are either "opt-out" (with pre-ticked checkboxes) or make it difficult to not grant consent/withdraw consent (declining usually requires much more clicks than accepting).

What the EU did wrong is not the design of the law, it's the lack of enforcement. Enforcement of the law will fine anyone requesting consent in an annoying/obnoxious way and will clean up the current mess we're in.

Well yes, I agree. They should've banned tracking cookies outright, informed consent or not. Alas, they tried to leave space for honest businesses to play with - which is always a bad idea where it comes to the advertising industry.
> Normal cookies required for the functioning of the website

If I happen to click a link on a news aggregator website like this one, then why would the website I visit (possibly for the first time) require my browser to accept cookies?

A technical answer might be that they want to implement a policy to grant you free access to one article per week, and than demand payment to access more than that, and a cookie is simple way to do that (yes, easy to circumvent, but that’s pretty uninteresting from a legal sense)

I don’t think GDPR demands “consent” for this though.

It works the same as the "cancer causing" law in CA. Because the penalty isn't worth the risk, it's almost universally considered better to include the warning even if you don't "think" you need it, because you could be wrong. And being wrong (especially when including the notice costs virtually nothing) is definitely a risky thing.
We should encourage websites to stop tracking us.
The 2 aren't mutually exclusive.

Seriously, I wonder if adding those cookie banner impacted tracking in any significant manner, because it definitely significantly impacted the usability of the web.

Actually, it only impacted the part of the web that is trying to track it's users. Things that didn't have cookies aren't impacted.

The only world in which your statement makes sense in one where user tracking is assumed to be acceptable and something that must be done. Neither of those things are true.

Not OP, but I completely agree with their statement that "it definitely significantly impacted the usability of the web."

As others have noted, a ton of sites seem to have just thrown the necessary JS on their site without actually seeing if they needed to, or if they did, if they could make minor changes that would remove the need.

From a usability/user experience perspective, now users have these popups displaying on some number of sites that they visit, often developed with the assumption that they will be accepted by the user.

Based upon some of the experiences I've had, I would say a number of teams neglect to properly test their sites as a user that has not accepted/dismissed the pop-up/overlay.

An argument could be made that cookie banners might somehow be normalizing tracking cookies too.

Through enough repetition the act of opening a new website and immediately clicking away the cookie popup becomes so automatic that people don't bother to read the disclosure, think about whether XYZ site should be tracking them, whether they want to consent or not, etc.

I myself am guilty of just clicking the damn thing without really thinking, and then I realize in horror that I opted-in by accident.

Serious question - why do people click on them? I simply ignore them and never say one way or the other whether I consent. It never causes me any problems, and I can honestly say that I never consented. Worst case there's 1-2 lines of text at the bottom of the window that have useless stuff in them instead of content. A minor annoyance compared to nav bars that randomly float in and out, email signups that popup after you've scrolled the first time, etc.
I don't care and I don't really see why anyone else does much either. It keeps websites free with no tangible downside. I resent Europe ruining the web with these consent banners. Websites are even forced to support "freeloaders" who don't consent which seems extra ridiculous to me.
No, there is nothing that prevents a website from forcing ads. It's just tracking that's not forcible. (Well, according to GDPR, that is.)
Remove cookies from the HTTP specification, and more importantly, browsers.

Replace it with a single "session token" value that you are allowed to set. Can only be created in response to a form post. No cross domain.

Make all the other web API stuff an smartphone-style opt in. "This app requires the following permissions: "Store private data in your browser. Only do this for site you trust as this can be used to track you." etc.

Maybe all the above can be made into an extension as a stop gap.

Ironically, cookies were GDPR-compliant when first created, and they envisioned the problems they're causing today. Hell, parts original cookie specs read very much like GDPR. It's just got corrupted over time by advertisers. Perhaps the best option today would really be to just rip them out entirely.
Do any reputable extensions modify the cookies randomly vs just deleting them?

I'd imagine a flood of junk data would increase the cost of tracking.

Remember that only cookies (or similar) used for tracking are forbidden and require prior consent.

Functional cookies like shopping carts, logged-in user sessions, etc do not require disclosure nor consent.

Furthermore consent is only valid if it's opt-in (and not opt-out, so pre-ticked checkboxes are not compliant) and if it's just as easy to decline as to accept (so if it takes more clicks to say no than yes then they're in breach already).

Don't blame the EU for this, blame the website operators and their broken business models.

Except for the part where blogs, templates, the uninformed, and the webdevs trying to CYA add the popups anyways regardless of whether or not they are needed because why run the legal risk?
The way they are doing it doesn't actually comply with the law either, so the CYA aspect of it doesn't work as designed. Adding a popup doesn't do anything as far as the GDPR is concerned unless the popup allows you to decline tracking just as easily as it is to accept it (no pre-ticked boxes or anything).

I believe the problem here is wrong advice leftover from the previous "cookie law" (which I agree is completely stupid) being repeated endlessly (either honestly or maliciously from the adtech/spyware industry to try and make the GDPR look more annoying to the users). I sometimes even see this wrong "advice" here on HN on GDPR-related threads.

I just Googled for the top GDPR myths, and one of the first hits goes to a page purportedly listing just that, but I couldn't read it because...wait for it...the pop-up wouldn't go away unless I selected Accept Cookies. Yes, they do track users.
"CYA" == "Cover Your Ass"
That's right its the broken business models that have these companies running rich because we don't care about the banner anyway. The EU is the knight in shining armor that fixed it.
This is indeed a very positive and smart move. Despite the fact that - a lot of sites just don't really play along (they'll just show you a nag popup that you have to OK, but they'll plant their tracking cookies before that anyway) - a lot of sites deliberately make it hard to opt out (this ranges from having to click around in the consent manager to outright sending you to a 20 page PDF that tells you that you can disable cookies in your browser if you want to - this, BTW, is clearly not an acceptable solution according to GDPR), don't show you the content if you don't accept all their tracking cookies (this is also illegal) - some sites just make it a bit harder than it could be (you can see the very same consent boxes on other sites with a more user friendly 'opt out all' option) - some sites do 100% OK

But it turns out that 100% OK is still not good enough. This whole thing should really be managed either by the browsers or by an extension and the consent request should come in a standard, machine digestable way (XML, json, what not). You could then just set your preferences once, that should work for most sites and every now and then (but less and less frequently) you'd be asked about what to do with unknown cookies on unknown sites.

In short, just because part of the industry is trying to circumvent regulation and because the current implementation is not the most efficient, we should not give up on the whole idea.

Or just tweak the law. Remove informed consent as a legal basis for collecting data on web users.

There are probably some context where “informed consent” is a sensible legal basis for processing data. But no-one in their right mind would freely agree to all this tracking that those pop-ups are trying trick you into. So instead of trying to make “consent” easier to give, just assume that is wont be given.

I can think of two or three entities I interact with for whom I might enter such a consensual agreement with. Neither are “sites”, and the web is not the primary way I interact with them, so a browser would not be to tool to maintain those agreements.

Would that mean a complete ban? I don't think that would be great. There is a lot of value in collecting statistics for the sake of analyzing user behavior. I also see the value in targeted ads and I'd say that it would probably be beneficial for the user (but I always opt out, because it's not worth it for me). Semi-automatic consenting could solve this, I think. E.g. I'm happy to provide non-tracking usage statistics for most small startups and I'm OK with Amazon tracking what I'm looking at on their site so they can give me better recommendations.

But I might not know what exactly 'consensual agreement' as a legal expression means.

BTW, this is pretty much the same issue as with ToS's. Some sites will try to DoS you.

Consent is only required if there are no other valid reasons for the tracking.

Tracking required to provide a service for the user don’t require consent f.ex. So you could still get personalized ads from Amazon as service provided for you without needing explicit consent for the tracking as such.

Similarly “non-tracking” analytics don’t require consent either. If you by non-tracking mean more or less anonymous.

You only need consent to for processing PII that you don’t have a a legitimate interest to process.

> a lot of sites deliberately make it hard to opt out

Amusingly I've just followed a link on HN to The Economist [https://www.economist.com] - their popup offers a link to "manage your cookies" where you can untick huge numbers of them or click "Opt Out All". Great - did that, however on returning to the page found the popup still covers part of the page :-)

However, we must remember Hanlon's Razor.

They should just ban all ad tracking cookies outright and remove the cookie for good.
When my browser just hides the popup or banner, which setting did I choose?

The GDPR is pretty clear that opting out must be the default choice, but it wouldn’t surprise me if some use a system that only follows that if it is actually shown.

I wish member nations were more proactive in fining people over this, because I'd then happily report every system like that.

On a related note, has anyone ever seen the corresponding consent popup that would let me opt back out of tracking cookies? I haven't. Which strikes me as weird, since consent was supposed to be as easily to rescind as it is to grant it.

I haven't seen any either. The pop ups just say "cookies exist and we use them". There is no option to say no: the only way to dismiss the pop up is to click the accept button.

So not only do they not inform the user about the risks associated with this invasion of privacy which is a prerequisite for informed consent, they also take away the option to explicitly say no.

Even though opting out of tracking is the default, sites are probably placing cookies and fingerprinting the user's browser on their first visit anyway before they even see the consent pop up. So ignoring the pop up is probably not a real option either.

>has anyone ever seen the corresponding consent popup that would let me opt back out of tracking cookies?

I have but only once, I don't remember where, it was probably an obscure site that didn't have whatever I was looking for. The pop-up was a big list of third party companies with checkboxes (Android style, slide left to uncheck) that had to be disabled individually. I don't think that was legal, consent was given by default unless I manually unchecked each box. There was of course no "uncheck all" button.

None, in the vast majority of cases you illegally weren't given a choice.
I use vimium[1] to close most pop-ups by typing "f" and then hitting the letter that pops up next to the close button.

If that doesn't work, I use a bookmarklet called "Remove Sticky"[2]. I type "bre" and hit enter when sticky things pop up to get them gone.

[1]: https://chrome.google.com/webstore/detail/vimium/dbepggeogba...

[2]: https://news.ycombinator.com/item?id=23446504

That's actually a smart way of using vimium, thank you! I'm gonna set more bookmarklets for various tasks now.
There is a really frustrating thing happening on this thread where people are downvoting answers that are technically correct, which suggests they must be simply disagreeing with the writers opinion on underlying politics. That is a sad way for hn to go.
It's been that way for a very long time. I get down-voted if I say anything from a conservative perspective here.
I believe you when you say that you notice you get down voted for expressing a conservative view on HN, but I seem to notice the opposite.

HN has a way of defending Trump and quickly down voting direct criticism of conservatives, at least in my own n=1 experience.

edit: ...and this comment was flagged. Case in point.

Well I find that a bit odd. But I vouched your comment anyways, because I think it's better to discuss these things than try to flag and ban the other side.
Agreed! I upvoted both of your comments too.
Conservative != Trump. I actually never say anything about Trump (breaking the rule here), because:

(1) conservative ideas don't depend on Trump for their origin or continuance

(2) Trump isn't really that conservative anyway, and

(3) he is such a polarizing figure that it's almost impossible to have a rational conversation (with either side) once you mention him.

You guys are probably both running into the notice-dislike bias: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

I can give you long, long lists of commenters complaining with complete certainty in the bitterest terms that HN is extremely biased in favor of $side and the mods are totally biased in favor of $side, but $side varies entirely with the political feelings of the perceiver. This is one of the most reliable phenomena that exists on HN.

I wrote a long thing about this earlier today: https://news.ycombinator.com/item?id=23530467.

That's interesting, thanks for linking your comment.

I believe it 100%, which is why I tried to discount my own claim too ("n=1" etc).

>We don't see the world as it is, but as we are.

I've managed to be upvoted for saying conservative things more often than not here. You do have to pick your battles a bit and be careful how you say things, avoid responding to hostile vitriol with more of the same, be mindful of what will likely play well with a libertarian-ish hacker crowd, etc, but it can be done.

I've also seen some weird post score swings, like mildly pro-Trump things going down to -3, then back up to +3. We know there's a lot of orgs out there actively trying to influence social media, I wonder if any of them have downvote farms or bots pointed at HN? I'd be disappointed to learn that real HN regulars just reflexively downvote like that.

I don't see the suspect downvotes that grandparent sees though. Maybe gone already?

The original question was deliberately and unnecessarily politically 'loaded' in a manner to demonstrate ignorance about things relating to EU politics. It's basically a sport on the internet.

> Whatever the intent of the GDPR was, the practical result is that now I have to click away the annoying "we're using cookies" popup on every website.

"Whatever the intent of docker was, the practical result is that now my computer runs slower. (Thanks Obama.)"

For "manual" cleanup I'm using slightly extended universal "Sweep Stickies" bookmarklet [1], based on idea taken from "Kill Sticky" [0]. Removes generally all those banners and overlays obscuring content and eating viewport. (Userscript available [2], but I prefer good old bookmarklet way for this.)

It literally crawls all elements in page, tests their computed style and removes those with sticky position (and a bit more). Works quite well for me.

[0] https://alisdair.mcdiarmid.org/kill-sticky-headers/ [1] http://myfonj.github.io/utils/bookmarklets/sweep-stickies.ht... [2] https://greasyfork.org/en/scripts/370572-sweep-stickies

Any solutions for mobile (iOS)? This problem is really painful on mobile devices where (in Safari) the popup takes up half the screen after the url+nav bars takes up a quarter leaving you with 25% of the screen to look at the actual content (with autoplaying ad videos every few paragraphs if you are lucky!) until you dismiss the popup.

Argh, makes me angry just thinking about it. The web is becoming increasingly painful to use through a UI browser.

AdGuard on iOS works well for those (in addition to ads, social media and other trash).
Wow that was awesome and super easy. Thanks for the tip, didn't know iOS Safari had an API for content blocking, I will need to explore that more.
Yes. Install uBlock Origin. Right click on ad / pop up -> Block Element ( a rule is automatically generated ) -> Create. Voila ! You might have to do it 2-3 times for the same element as it might have several layers. But then you're done and you haven't been forced into clicking. "ok"
I use "I don't care about cookies" extension for Firefix, seems to work well.
This is a great extension and also available on Chrome.
Before I discovered this ( through an HN comment as it happens ) I was just ignoring them and scrolling with the screen half-covered. Does anyone know if by just refusing to click anything you're basically ~ not opting in ? Some sites won't let you do that at all though. ( See my other comment for manual uBlock Origin method )
So you mean government involvement in tech both didn’t serve its intended purpose and its an annoyance to the end user? I would have never guessed....
The government doesn't enforce cookie banners. They enforce that there shouldn't be tracking. It's the tech companies who think it's worth while to annoy the users with coockie banners in order to be able to do more tracking (my assumption is that some make the banners extra painful as a way to steer anger towards legislature ...)
I mean, still, the practical effect of the govt legislation was to annoy countless people and waste who-knows-how-much-effort implementing the stupid banners.

To argue that this leglislation would've had a good effect in some hypothetical alternative world where businesses had different incentives is beside the point!

(Side note, if it were not for govt investment in the dentralized, open internet, we'd probably all be using some ungodly-advanced version or America Online. So I'm certainly not advocating govt has no place in tech!)

Another way of looking at it: the effect of the legislation has been to expose that just about every website tracks you.

Websites don't have to put a cookie banner for every kind of cookie. They have to show it whenever they collect identifying data about you. If they choose not to collect info on their visitors, then they don't have to put a banner.

With most of my customers the conversation goes something like:

- Customer: We must still implement that cookie popup before launch!

- Me: No. You don't have to. If we just disable SomePerformanceMetrics and GoogleAnalytics, we're done: we don't need a pupop.

- Me: who is using the performance metrics ATM? And who is acting on GA? How do you use them? Would this (shows three really neat Log-analyzers as alternative) suffice?

- Customer: We don't use them yet. But we might want to in future. And we then we might need all that data. So we want to start collecting it now.

Point is: you don't need Google Analytics, you don't need any of those 20+ tracking cookies if you actually look at it. But there's a lot a FOMO, combined with "but this is how we have always done it, so shut up".

There are some rare cases where GA, new-relic, tagmanager etc are really nessecary and none of the privacy-friendly (ie no-cookie-popup required) alternatives cut it. But those are rare. I daresay that a vast majority of tracking cookies is just there because the developers/business is too lazy to take a serious look at the problem.

Which is why I truly welcome more legislation that turns "collecting vast amounts of data" from "free" into a real and looming liability.

You should add this question to your set of questions: "Do you really want to report all your users up to Google, so that Google sees how successful your product is and can build a competing product?"

And yeah, doesn't work for all sorts of things, but as a site operator I would be careful in giving away that information out of self interest already ...

>Log-analyzers as alternative

You mean... no opt-in popup is required for logfiles? Isn't it also PII? IP + browser + timestamp + referrer? It's almost enough to identify unique visitors.

Yup, it's very similar to what happened with Windows Vista. Those security dialogs were annoying as hell, but the real issue was that most applications were used to running with way more permissions than they really needed. Windows 7 didn't get the flak that Windows Vista got, but the biggest difference was just that applications had had time to fix their permissions so they didn't ask for admin rights that they didn't actually need.
I'm just not sure how else it's supposed to work. The law says, "Can't track without consent." How else could that be put into place other than popups informing you of the use of cookies and asking for consent? I'm not trying to be a smart-ass, if someone has a better idea I'd be all for it.
Don't use tracking tools and advertising networks that hurt people's privacy and you're good. You don't need a banner.
The reason why companies implement those banners is that a banner talking about cookies sounds much nicer than saying: We want to create a profile of every detail we can find on you and auction that out to an advertisement network, press OK here.

GDPR could have added a law against misrepresenting the profiling under the umbrella of a "cookie consent", but that would just be Whac-A-Mole legislation. Companies would just wrap the consent banner under some under pretense.

A govt legislation that would actually work in practice would be to ban the practice of collecting and selling personal data. No consent, no popup, just a law making it illegal. That would have the desired practical effect and no annoying banners would ever be written. It would also be much harder politically to get accepted and people would complain that EU are draconian for not allowing consenting adults to go into an agreement where they trade personal data for service.

Personally however I would prefer if EU did just that. Ban it. Make databases of personal data toxic to have and the liability if anything leaks be high enough that in practice a company like a news papers will do something else in order to earn profits.

> The reason why companies implement those banners is that a banner talking about cookies sounds much nicer than saying: We want to create a profile of every detail we can find on you and auction that out to an advertisement network, press OK here.

The reality is even worse. The site operators would have to say "we want to give your data to google and others so they can create a profile of everything you do online."

If an individual site would track how one navigates their site and see click paths that might be tolerable to some degree. (Till they use that to increase dark patterns like booking.com's "only 2 rooms left and 5 people looking at this") But giving it away, into central databanks is baaaad

Not enforce ≠ the law.

Liability doesn't work with a lack of enforcement.

> They enforce that there shouldn't be tracking.

Doesn't the 2009 ePrivacy directive exclude "strictly necessary" cookies [1], not "non-tracking" cookies? Like GDPR, I think no website wants to be the first to test what falls under "strictly necessary", under the EU directive and every country's specific implementation.

They really should have listed specific exemptions on the directive. Here's hoping that the new ePrivacy regulation will have them and/or just repeals the cookie popup.

[1] https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies

Government is deeply involved in tech and tech is deeply involved in government. There's major mutual touchpoints just about everywhere

Cherry picking an outlier, then attributing one side of the relationship as completely as fault and sarcastically implying it's generally representative isn't an honest depiction of reality.

I've seen lip service to this clear misrepresentation of reality my whole life. I don't let it slide anymore. We can do better.

The difference is that giving the government more power is inherently dangerous. I can refuse to use a specific tech company’s product a lot easier than I can refuse to be under a government.

A corporation doesn’t have the power of the state to threaten to take away property or liberty.

> A corporation doesn’t have the power of the state to threaten to take away property or liberty.

Questionable, and to the extent that this is true, it is because of power given to governments to ensure those rights.

You mean the power given to unelected departments like the FTC, FDA, etc that actually create regulations or the unelected judges with lifetime appointments or the unelected officials in the Department of Justice?
Those obviously need to be fixed. Finding egregious oversights in the structure of our public office doesn't immediately invalidate it because we have tangible, actionable mechanisms for fixing it.

Corporations on the other hand are effectively vestigial 21st century monarchies, with all the cost and benefits that comes with that.

I've ran a few small ones and believe in private industry. I'm not anti corporation, but let's call a spade a spade here. Believing in bullshit never helps you in a competitive marketplace, don't do it.

You mean fix one entire branch of the US government - the judicial branch. Or do you mean the Senate that has two senators regardless of population where someone in the Midwest has far more voting power than someone in a more populous state? Or do you mean gerrymandering?

It’s not libertarianism. It’s seeing the history of biased enforcement when it comes to the “War on Drugs” among other things but even with tech, we see the government would love to get access to data and in the case of the current administration “shut down Twitter”.

If the government had more control over the tech industry, who do you think they would go after?

The government could trivially shut down the internet.

They could easily raid the ICANN and IANA offices in playa vista and shut down global DNS in about an hour if they wanted. It's just a single floor, you could probably do it with 2 police officers.

The chains that bind them from doing so are those of public accountability.

A diligent public strangles the powers of a revanchist government.

Again I agree with you there are regrettable policies that should be addressed. Governance offers us that mechanism. That's why it's preferable as an institution in deciding public policy.

I'd rather have our imperfect government with their awful War on Drugs running the show than say Beyer, who marketed heroin to kids for mild ailments, or Purdue pharma which peddled opioids, you know, as late as last year, or the huxster Elizabeth Holmes or the price gouging Martin Shkreli or RJ Reynolds or any other profit seeking unaccountable entity.

Replacing the FDA with say a board of Shkreli, Holmes and Purdue? Yeah, I'm sure that'd go just great.

And there you have it. When drugs were affecting the inner city it was all about “lack of morality” and being “tough on crime”. But when it started affecting “rural America” it was “let’s blame the drug companies” and “treat it like a disease”.

I doubt people in the inner city or the people who “fit the description” wouldn’t feel the same way about the “War on Drugs”.

Some corporations will kill people if there's a buck to be made and then intentionally cover their tracks. Pg&e, ge, bechtel, nestle, exxon, rj reynolds, purdue, beyer, exelon...

The system as it stands is designed for people to "be as greedy as they can possibly get away with."

Then there's this theory that is everyone is exclusively a conniving bastard trying to double cross everyone and snatch profits by stomping on everyone else, the world will be a functional happy place.

Building a society by incentivizing what basically every religious text says leads to crime is a big mistake.

Some corporations will kill people if there's a buck to be made and then intentionally cover their tracks.

You have been watching what's going on with the police haven’t you?

Of course they do! Private mercenaries, prisons, banks, repo companies, landlords, insurance providers, all kinds... of course they do. Corporations were initially an arm of the state to do state functions. They still do that today.

What corporations don't have is any obligation to cede to the public demand or be held accountable for their actions. There's no democratic control, no way they can be fired by the voter nor do they have any responsibility of transparency.

Voting systems, red light cameras, municipal water, nearly every aspect is controlled by private corporations shirking responsibility oftentimes for decades. Polluting a town's water supply and walking away pretending they didn't - there's even many well known movies about things like this with academy awards. Often the criminals get away with it having hid under the legal fiction of the corporation.

If a secretive unaccountable private corporation determining the outcome of an election and claiming the audit trail is a trade secret doesn't ruffle your libertarian feathers then there's something seriously wrong.

What you claimed is yet another silly thing I've been hearing my whole life. It's totally wrong. Any inspection would immediately reveal this

What corporations don't have is any obligation to cede to the public demand or be held accountable for their actions. There's no democratic control, no way they can be fired by the voter nor do they have any responsibility of •transparency.

How well has that whole accountability thing worked out for the police department and the American military? The justice system?

There's no democratic control, no way they can be fired by the voter nor do they have any responsibility of transparency.

Nor can judges with lifetime appointments.

Voting systems,

Where conservative states consistently disenfranchise minority voters by closing polling places, passing voter id laws but then make it harder for minorities to get an ID and they count gun registrations as valid Id but not college IDs...

Polluting a town's water supply and walking away pretending they didn't

See the government run water supply in Flint Michigan.

Absolutely!

Humans can be real bastards and governments aren't magical solutions just as corporations aren't magically evil.

The question is about who can be held more accountable, who can be more feasibly removed from power and what kind of institution can be more promptly remedied.

We as moral actors could potentially change the laws of governance probably far easier than we could form a corporation to defeat ExxonMobil in the marketplace. Both should be easier, but that's another discussion.

Both governance and private capital are imperfect and both deserve criticism. Being a fan of either is a mistake.

The US has a long history of not being “moral actors” when it comes to the rights and freedoms of racial and religious minorities and non straight people. Having a government that caters to the majority is fine if you are in the majority.

We just saw the government stripping rights of transexuals with regards to health care. What would they do if they had more access to data? If you were a Muslim America would you trust the government in its current state to have more access to your data?

I'm sure that will be addressed far faster than the 60 years it took to hold tobacco companies accountable, only possible through government.
You mean the same government that still hands out farm subsidies to tobacco farmers?

https://www.ewg.org/agmag/2018/05/thank-you-subsidizing-smok...

How many decades did it take the government to rule that it was discrimination not to allow gay people to adopt kids? Get pregnant by in vitro insemination? If you aren’t in the affected group it’s easy to tell those who are to be patient.

What's the point here?

Mine is there's endless propaganda depicting corporate America as bright shiny perfect perfection and government as slow clunky incompetence and I'm really really tired of the bullshit.

It's not academic, it's not scholarly, it's mindless partisan cheerleading, some kind of religious orthodoxy, a blind adherence to something that's obviously nonsense.

It's just endless streams of nonstop crap from places line heritage, hoover, heartland, aei, cato, they're overflowing bullshit factories. Enough of that nonsense already.

Governments do incorporated things and corporations do governance - they are different structures of cultural institutions that interact with each other all the time.

Well let’s see. In 25 years I’m quite positive that I have never been discriminated against when it came to hiring working in technology. That’s from working at some of the smallest companies to some of the largest. I can’t say the same when it comes to being stopped by police when I “looked suspicious”.

Given a choice between trusting Big Tech and Big Government. I trust Big Tech a lot more.

Non anecdotally, who were the first to recognize the rights of LGBTQ? The government or Big Tech?

The Kingdom of France 1791? Monaco in 1793? Prussia in 1794?

When do you want to start this? Maybe 20th century instead? The October Revolution in 1917, Poland 1932, Denmark 1933?

Oh you're talking LGBT protected class discrimination for employment! Pennsylvania, 1975, Wisconsin 1982?

Maybe you're talking about Bostock v. Clayton County(2020) which got to the SCOTUS because a private corporation, in 2019, fired an employee for being gay. That's how it got there, a private company not respecting LGBT rights.

So maybe you mean the courts? When was the first case in lgbt's people's favour? One, Inc. v. Olesen 1958. Nineteen fifty eight.

So yeah, probably government. Feel free to move the goalposts around if you want. I'm pretty confident on this on wherever you decide to place them

The US government has treated people outside the US a lot worse than it's treated its own citizens, in the last 100 years, yet anti-US government people in the US don't seem to talk about that. You don't get invaded, saturation bombed, napalmed, droned etc. Or your democracy replaced with military dictators given a load of weapons and torture training.

Still, why corporations are internally so much better by nature than governments, in that world-view, I don't see.

I’m the first to call out the hypocrisy of people tsk tsking and saying destroying property doesn’t bring about change in the case of police misconduct but being the biggest supporter of the military that bombs other countries and kills civilians to “bring Democracy”.
The banana republics were done for the banana company

The oil wars were done for the oil companies

There isn't this mysterious firewall between government and business. They're different departments of the same thing.

Nor is there any mutual exclusivity. The absolute dictatorship of Pinochets Chile is also where the most radical forms of Milton Friedman's free market capitalism was tried.

They're two interacting institutions of power that can exist in many forms. Free business doesn't guarantee free societies.

There is no silver bullet

> * I can refuse to use a specific tech company's product*

This is less true than you might realize. Consider that if a friend of yours is on Facebook, they might upload photos of you and tag your name, allowing Facebook to build a profile of you regardless of whether you use Facebook or not.

Consider that credit rating agencies buy your loan history in order to rate you as a customer, regardless of whether you check your credit history with them or not. Consider that Google buys your credit card purchase history to build a profile of you.

Consider that Google takes pictures of your house regardless of whether you search for it on Maps. Consider that GM and Ford collect and sell your location data from your vehicle. Note that vehicles that don't do this are getting more difficult to obtain because the price of vehicles is becoming increasingly subsidized by surveillance.

Technology is ubiquitous. Not all technology is a product sold to consumers, and you don't always have a say in how it's used. GDPR covers all of the above situations. Its effect on websites is peanuts.

> A corporation doesn’t have the power of the state to threaten to take away property or liberty.

Automated systems are currently part of the decision-making process in hiring, firing, choosing to loan, choosing to rent, policing, and determining prison sentences. A corporation that offers "fraud detection" services has a surprising amount of power over your liberty and property.

...allowing Facebook to build a profile of you regardless of whether you use Facebook or not.

Why isn't there a law to prevent this while there's a law that accomplishes nothing except guarrantied annoyances? Is not the government that makes laws?

There is, it's called the General Data Protection Regulations. Its purpose is to protect consumers from companies that surveil and track without your knowledge and permission. You should read up on it as cookies are just a tiny paragraph.
My point is that it's the government that makes and enforces laws.

Government is responsible for both its own misconduct and companies'.

Seems a bit simplistic. I'm always surprised at how really smart people revert to tribalist sound bites when it comes to politics. Power is derived from the ability to successfully enforce it. Doesn't matter who has the power.
I would recommend the Consent-O-Matic (https://github.com/cavi-au/Consent-O-Matic) plugin. It doesn't get rid of everything, but it does automatically fill in the forms on practically every website, and you can submit an issue to them when it misses one. I have it set up to automatically deny.
They most of the time shouldn't be "we're using cookies (and we've planted all of them without your consent, oops)" anyway, but consent managers.

But yeah, this could be handled in a more user friendly way, if there was a standard way to express the consent options (with the cookies and their functionalities) that the browsers could parse. Then the page could check if the browser handles it or if it has to fall back to what they're doing now.

As mentioned in another comment, it’s actually possible: https://news.ycombinator.com/item?id=23524626
Makes sense. Actually it could very much work without the active participation of the web sites, at least for cross-site tracking. Because we can collect and identify and categorize those cookies.

And now that we're talking about it, Firefox does have something similar accessible from the URL bar, called "Enhanced tracking protection".

Well, enhanced tracking protection is closer to what an adblocker/content blocker would do as far as I know. They classify some domains as trackers based on a static list from Disconnect then use that information to either block requests or enforce extra restrictions on those (like blocking cookies/storage).
Depending on how bad the warning is, it might be easier to disable javascript. Have found that this gets around some noiser news sites.
I can't believe this isn't handled by the browser. Make a standard API like the location or notification pop ups. Have a setting that says I understand what cookies are and I accept all.
The problem is you're expecting the developers and website owners to voluntarily opt-in to this browser standard.

It'll probably have about as much adoption as Do-Not-Track...

So show a warning when it’s not detected like SSL.
Wouldn't that hurt simple websites which don't track by default?
Well, in my ideal world a browser would ask for permission before placing a cookie at all. It shouldn't matter what the developers did, my browser would detect an attempted cookie placement, notify me, and ask to verify that that's okay.
I think most of those popups are intended for compliance with GDPR. A browser feature that eliminated the interaction might conflict with the intent of the statute.
That would also necessitate an 'accept none' option, which no corporation wants.
And I assume Google would refuse to implement it being that their business is tracking users through various means to serve them ads
FYI, the relevant European legislation says that ignoring the banner means exactly this—it’s all required to be voluntary opt-in, consent freely given. My impression is that >90% of cookie banners are utterly non-compliant, and thus a total waste of everyone’s time.
The Cliqz browser used to have this feature built-in. It would ask you once in the beginning what your default choice would be regarding data collection practices (e.g. opt-out of everything or opt-in; most likely you would like to opt-out); then it would automatically apply your choice on each website (meaning that it would tick the right boxes for you) then hide the popup. It was a really cool feature IMO.
In addition to taking whatever technical measures you are taking, if you're in the EU, consider also grabbing one web site that has a particularly bad consent flow (e.g. a dozen clicks to not get tracked, or a "click or scroll anywhere to consent"), and report them to the appropriate DPA.

The DPAs often only work off consumer reports.

You need to know that these popups are a result of two separate laws: The ePrivacy directive aka Cookie Law, and GDPR. GDPR is enforceable one that you care about. A web site can process your data (e.g. for personalized ads) for one of the explicitly given reason, the most common ones being "legitimate interest", "fulfillment of a contract" and "consent".

There have been a couple recent statements about what counts and doesn't count as legitimate interest, fulfilling a contract, and consent.

You also have the right to ask the controller of the data (not the processor) for a list of data stored about you. Try it with one of said web sites! Make a clean cookie jar, use the site and only the site, send them the cookie jar, and see what data they store. (If they don't, file a complaint with the DPA)

For people who are disabled, dismissing cookie dialogs is one extra difficult pointless thing they have to do _every_ time they visit any website.

Is this a violation of human rights?

Yeah, just like how movies existing that blind people can't watch is a violation of human rights.
Which specific right are you referring to? A right to not be forced to click on a button on every website?
I never get Jehovah's Witnesses knocking on my door to talk about Jesus anymore.

Instead I have the EU asking me about Cookies on every other web page.

I use Safari User Stylesheet. This is mine:

  /* "custom" */
  [class*="as-oil"]:not(body, html),
  [class*="optanon"]:not(body, html),

  /* "generic" */
  [class*="consent"]:not(body, html),
  [id*="consent"],
  [class*="gdpr"]:not(body, html),
  [id*="gdpr"],
  [class*="announcement"]:not(body, html),
  [id*="announcement"],
  [class*="policy"]:not(body, html),
  [id*="policy"],
  [class*="cookie"]:not(body, html),
  [id*="cookie"] {
   display: none!important;
   visibility: hidden!important;
   transform: scale(0)!important;
   opacity: 0!important;
   width: 0!important;
   height: 0!important;
   z-index: -1!important;
   background: transparent!important;
   color: transparent!important;
   font-size:0!important;
  }
(comment deleted)
(comment deleted)