72 comments

[ 0.22 ms ] story [ 124 ms ] thread
For a comedic experience, open this article with your ad blocker turned off.
And they employ exactly the same tactics they describe. TC is such a pile of gunk.
Eh, they used to be a lot worse. Nowadays it's just 2-3 clicks to reject all tracking on TC. Could be better but I'll take it.

Same with Google and Facebook. It looks like they're starting to get in line.

An article dissing cookie popups has a cookie popup with no easy opt out. Amazing.
It's easy to make that take. But try to see the story from the other side.

The person writing that article is a journalist who almost certainly has no direct connection to the ad department of his site and the people who are responsible for the cookie banner. (I sympathize, because I'm a journalist with no direct connection to any of those things.)

It's an unfortunate reality that most media orgs use shitty ad tech. There's also an alignment of incentives that makes it hard for media orgs to do anything else.

For a journalist there's few options how to handle this:

1. Still write about these things and be called hypocritical.

2. Don't write about these things and avoid being called hypocritical.

3. Write about these things on sites without cookies and shitty ads (e.g. a private, simple blog) and don't get payed.

I don't think 2 is particularly preferrable and it should be understandable that 3 is not particularly attractive.

The article also just a re-write of the original article, and contains no original content.
Besides an automated system, I'm wondering if we could benefit from some sort of reporting tool to report sites abusing this UX, with hall of shame and if possible make it easy for the enforcers to know what to focus on.

So folks can report a site if a) it has poor UX to reject all b) despite rejecting all it still uses cookies invalidly.

Seems like something like that would already exist?

Ironic that the cookie-wall on this site commits offence #1 as outlined in the article.
So happy to see that happening. Companies are making a mockery of the laws with the tracking "consent" mazes, auto-enabled "legitimate interest" boxes, etc.

I am also amazed how it's possible to track customers across devices forever, but it seemingly isn't possible to remember my refusal and it is necessary to ask me again very often.

I really hope this reckoning is going to move forward.

Ideally there would be a standardized opt-out button with a recognizable icon in a banner of limited size at the top
Maybe even integrate that in the browser's privacy overview?
Yes, they could use an HTTP header for that. We could call it "Do Not Track".
Exactly, my browser simply rejects all third-party cookies (except from a whitelist) and has a short time limit on the others. No need at all for consent buttons.
Should have happened a long time ago. Hit everyone who resorts to these pathetic dark patterns with a company-ending fine. If all the buzzfeed and gawker clones pull out of the market, even better. Two birds with one stone.
I was and still am totally amazed that people still think it's a good idea to require each individual site owner to comply with that kind of policy instead of letting the browser vendors do the hard work.

Which is easier - to modify and monitor billions of different sites, or to create a framework and obligations on the side of browsers to handle it?

Something like requiring all browsers to start with cookies disabled, and mandating exactly how those users who do consent to tracking can be tracked (up to minute technical details), would do wonders if the goal is to actually improve privacy instead of just making it easy for Google and Facebook to continue doing what they do, while making life harder for millions of small companies and increasing bureucratic load while doing it.

I still haven't figured out how to opt out after initially opting in. Having a standard place in the browser would make this simple.
I think, in case you delete all your cookies, you will get a new cookie popup the next time you visit a web-site. As I usually configure browsers to not keep cookies between browser-restarts, I'm quite used to being asked anew about cookie consent every single time I visit a page :/
Maybe we could send a header to websites letting them know that the user wants to opt out of all non-essential cookies. We could call it DoNotTrack, or something along those lines. I think HN would love the idea.
C'mon. This isn't contributing to the discussion.
Oh the sarcasm ;)
It's unclear if Do Not Track will be useful for cookie consent, certainly it will take a lot of time. Here is an article from 2018 about it.

https://www.w3.org/blog/2018/06/do-not-track-and-the-gdpr/

I think the intent of the GDPR is good, but we now have websites that are harder to use than they have to be. In addition to that companies all over Europe have to spend a lot of time to be GDPR compliant.

I think it's time to take a good look at GDPR and evaluate if it's doing what is was meant to do.

This could work for cookies but how would it work for other types of tracking. GDPR is not about cookies per se but about tracking.
I am not so sure about the law situation here, but this consent is not about cookies especially. It is about user tracking. And there are fingerprinting technology beyond cookies (which bypass cookie resets or incognito modes).
How are they supposed to collect fines then?
But "cookie consent" isn't only about cookies, it's about tracking, data collection and data sharing in general. Why do people miss that?

Cookies are only one of the ways to track users, and they can be blocked. Your browser can't know everything used to fingerprint and track you on each and every site, and it can't know who that data is shared with. Those are the things that only the website owners know and only they can provide the users with choice.

There isn't really anything in GDPR that says this can't be automated and dealt with by the browsers, so long as users are given the choice and from their set their defaults.

It is a matter of intentional annoyance and non compliance but appearance to try and comply by these websites since we already have things like no track headers.

Why would it be a good idea to place the burden on the browser? That's like shooting the messenger.

All of these websites whose life seems to depend on being personal-data-thieves should simply go the way of the dinosaur. If you can't make enough money to keep your site afloat without violating people's rights, then your website shouldn't exist.

What I'd prefer, and where browsers could actually play an integral part, is an easier system for online (micro)payments. Want to read this article? Pay €0.05 please. No registration required. Want a monthly subscription? That'll be €5/month, please create an account.

I loved the web when most websites were either run by universities, or by people who just wanted to share. You know, when things were actually free. Now it seems like everyone and their grandmonther wants to profit off of every little blog by selling my personal data. Which is ridiculous, considering it's an order of magnitude cheaper to host a site than it was in the 90s.

> What I'd prefer, and where browsers could actually play an integral part, is an easier system for online (micro)payments. Want to read this article? Pay €0.05 please. No registration required. Want a monthly subscription? That'll be €5/month, please create an account.

Micropayments are much harder than most people realize. It's not at all hard to design a system that can handle the actual payment part of micropayments. It's the legal environment around micropayments that is hard.

A big problem is taxes. If I'm in jurisdiction X and your site is in jurisdiction Y and I pay you for access to an article, X may consider that a sale in X and want you to pay VAT or sales tax.

Even if you don't meet the minimum volume requirement that a X has before taxes kick in, many jurisdictions still require you to register with them and file quarterly reports if you have any sales there. (And minimums are often of the form at least $S in sales or T transactions. In many US states T is 100 or 200, so you could end up owing tax on a few dollars total of microtransactions).

> What I'd prefer, and where browsers could actually play an integral part, is an easier system for online (micro)payments. Want to read this article? Pay €0.05 please. No registration required. Want a monthly subscription? That'll be €5/month, please create an account.

HTTP 402 Payment Required

It goes back to at least 1999 [0], but as far as I'm aware was never implemented (has been "reserved for future use" until the past few years, where Mozilla now lists it as "experimental technology" [1]).

Edit to really fast downvote: I'm not saying this works, but that 1) there is a longstanding mechanism a new feature could be built on, and 2) it's apparently not been worthwhile for over two decades - but it seems it is being looked at now.

[0] https://www.w3.org/Protocols/rfc2616/rfc2616.html / https://datatracker.ietf.org/doc/html/rfc2616

[1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/402

> The problem is that most websites simply aren’t compliant. They choose to make a mockery of the law by offering a skewed choice: Typically a super simple opt-in (to hand them all your data) vs a highly confusing, frustrating, tedious opt-out (and sometimes even no reject option at all).

Like the Techcrunch site where this was published.

I know right?! I went there and met by a giant wall of GDPR bullshit without a button to say "no", buttons grayed out but clickable, multiple page scroll down to reach the desired opt out, default everything off on the first page, but default as you went further... prime example all the way.

At one point in the process I got worried that the GDPR popup is itself whats posted and not an article.

And it's not possible to change/withdraw consent after allowing it. I've searched 5 minutes and found no link or widget that would get me to that screen.
The Gist: A non-profit developed a cralwer which can pick up misleading (or non-working) cookie-consent banners.

> with a plan to file up to 10,000 complaints against offenders over the course of this year

> Today it’s announcing the first batch of 560 complaints, large and small

> noyb is even giving offenders a warning first — and a full month to clean up their ways

In general I'm not a fan of vigilante law enforcers, specifically if they attach an invoice to their warnings.

I hope noyb won't and that the small in large and small doesn't mean people will loose their jobs. If that's the case then god-speed.

If not I fear a lot of warned sites are going to be run by barely profitable family-run businesses, who barely managed to have a consent-banner at all and whose sites are barely visted anyways (thus causing next to little harm).

It's pretty easy for family run business to respect the law : don't track your customers.

No need for any banner if you only use cookies for legitimate interest.

They won't.

> Anders als bei "Abmahnungen" die gerade in Deutschland problematische Ausmaße angenommen haben, fallen für die betroffenen Unternehmen dabei keinerlei Kosten an, da das Projekt durch Spenden der rund 4.000 Fördermitglieder von noyb finanziert wird.

https://noyb.eu/de/noyb-setzt-dem-cookie-banner-wahnsinn-ein...

Simplified Translation: they don't charge the corporations anything. Noyb is financed by donations.
noyb are not "vigilante law enforcers". Law enforcement is police and courts.

Noyb notifies corporations of their GDPR violations. Only if they do not comply they will notify authorities/sue.

> In general I'm not a fan of vigilante law enforcers

Nobody here is enforcing the law. noyb is actually doing a favor to all those small business by informing them that they are in fact breaking the law. Maybe some of them didn't even know it. noyb then gives them ample time to fix the issue and if they don't they get reported to the relevant agencies which then do the law enforcement.

It's all quite simple that I am surprised that anybody would call noyb vigilante law enforcers.

You can't even click on the techcrunch link if you have uMatrix, it's blocked due to their redirect tracking. TC (and some other notable sites, I think engadget and others) employs a tracking-by-redirect scheme through https://guce.advertising.com/collectIdentifiers which is a well-known tracker that has been discussed here and on many reddit threads it seems...
> TechCrunch is part of Verizon Media.

>

> By clicking "Accept all" you agree that Verizon Media and our partners will store and/or access information on your device through the use of cookies and similar technologies and process your personal data, to display personalised ads and content, for ad and content measurement, audience insights and product development.

The irony.

This is TechCrunch cookie consent.

https://i.imgur.com/laO6kiw.png

Before viewing that image I had to accept the Imgur cookie consent :)

It's cookie consents all the way down...

The worst is the "Legitimate interest" when clicking manage options. Apparently 235 companies have a "legitimate interest" in tracking me which is on by default unless I click "Reject All".

https://imgur.com/a/QKzW9pc

My biggest problem with Europe's mandatory cookie warning is that the solution is worse than the problem.

I'm aware that once I enter somebody's site there's a gazillion ways for that somebody to get data about me. If cookies are blocked they'll find another way.

But thanks to Europe's feeling they need to nanny me, I get those obnoxious cookie warning popups on every site I visit. Worse, I can't opt out of the popups. Infuriatingly, Europe didn't ask me if I _want_ to be protected like this.

Of the many problems with the Internet and Web sites, I feel Europe has fixed the most trivial, in the most obnoxious possible way. Thanks for nothing, Europe!

The solution as imagined wouldn't be worse than the problem. There should be a simple, easily accessible "reject all" (or the individual choices should default to reject). This is an issue with inforcement.
You make it sound like the cookie consents are the only think the EU tackled, ignoring that it is only one small aspect of the EU's data privacy & protection legislation, which is having a big effect globally, not just in Europe. If you look at the GDPR penalties & fines so far you won't find any about cookie consent but you will find a lot of examples of bad governance, incompetence and bad data use, which people should be concerned about. Your "nothing" in this case if actually quite a lot of oversight which many people are happy about (even it it's a constant consideration for some of us working with data).

Your example of other ways to gain data about somebody is ALSO covered by GDPR. What's called the cookie consent is about customer data in general. All data provided directly or indirectly by a site visitor is subject to GDPR consideration, regardless of method.

As to not being asked if you personally want a law to exist or affect you: that's not how laws & governments work. If you're in the EU, then it's part of the governing institutions that we contribute to. If you're outside the EU, then it's the choice of the website you're visiting if they provide different experiences for you vs European visitors but again, you have an individual choice about if you visit those sites but your individual opinion doesn't get to decide how somebody else's web site operates and which legislation they adhere to.

It sounds like this is more an issue of personal inconvenience, which most of us share. The problem here is the implementation (e.g. it could have been more directed at browser vendors to implement global privacy controls) but while the current execution is bad the underlying reasoning for data protection is sound.

What the EU didn't ask you wasn't whether you "wanted to be protected", it was whether you wanted a choice regarding being tracked or not. What's so upsetting about being offered a choice?

The party who is making "the solution worse than the problem" and implementing the obnoxious procedures for you to express your choice are the businesses who have the most to gain from blaming the EU on how terrible it is that they can no longer do it without the users' consent.

The article is trying to make the case that the problem is that the "Reject All" button is difficult to find on the cookie popup and it's the site's fault for that.

No. Let's make one thing clear. The problem is with the popup itself, with the fact that it exists. And it exists because the bone-headed law that required it: the GDPR.

The fact that the very first decision I have to make when visiting a website is about an issue I don't five a flying f&$# about is mind-boggling.

The fact that somebody decided to elevate for me something completely harmless ("tracking me online") to a level more important than any other issue when it comes to web browsing is absolutely incredible.

The fact that the cost of both the implementation of this on the website and that of the stupid selection imposed on the site visitor was completely ignored is aggressively idiotic.

And the fact that "somebody" made that decision into one of the most ambiguous, evasive, but at the same incredibly punishing laws around is criminal.

How do we know this? The perfect A/B test. We had the web before GDPR. It wasn't pretty but it worked. Now we have the web after GDPR. It's a cluster-f&$%. The only thing that changed: the stupid law.

Abolish GDPR!

> The fact that the very first decision I have to make when visiting a website is about an issue I don't five a flying f&$# about is mind-boggling.

You seem to have a hard time understanding that laws may be designed to protect people who are not you.

What percent of the population do you think has as the first priority when visiting a website the detail that they are tracked or not? What percent do you think even cares?

And what is the law protecting them against?! I still have to discover the horrifying malice tracking does to visitors. So far I know two downsides: resource usage and ads following you.

Now compare that with the gigantic waste of time when hunting and answering the stupid popup every time I visit a new site...

This is how it is when a bureaucrat decides to protect you from yourself: reminds me of the War on Drugs.

> What percent of the population do you think has as the first priority when visiting a website the detail that they are tracked or not?

Why does it have to be first priority in order to matter a lot?

> What percent do you think even cares?

I don't know, exactly. I seem to recall that several tens of percents of people are worried about technological tracking, so I'd hazard a guess of a few tens of percents.

> I still have to discover the horrifying malice tracking does to visitors.

So you're one of those people who'd happily stream your bathroom to the public?

> This is how it is when a bureaucrat decides to protect you from yourself: reminds me of the War on Drugs.

What a terrible analogy. It's not protecting you from yourself. You're welcome to accept all the tracking if you so wish. It's protecting you from the trackers!

> Why does it have to be first priority in order to matter a lot?

That is it: it doesn't matter to the regular Joe. At all. Because it was made first priority by throwing it into his face as the first experience when visiting a new website by this insane regulation.

> several tens of percents of people are worried about technological tracking

Are they truly worried about it or they are just saying that? Because there were ways to avoid tracking even before GDPR but what percent of those people used them? And are they worried enough to pay some membership or simply stop visiting the offending website?!

> happily stream your bathroom to the public

Are you really equating cookie tracking with bathroom privacy?! That's quite a stretch. Even then, I am not sure if there are laws protecting my bathroom privacy, but if there were I am sure they don't require me so sign some sort of waiver every time I take a dump in my own damn house!

> It's protecting you from the trackers!

Well now I can sleep so much better. I was quite worried about those awful trackers and their... tracking habits. Good thing those Brussels bureaucrats, in their infinite wisdom, thought to protect me against such a horrifying danger, a danger I was completely helpless to protect myself from. What other things are endangering me right now and I have no idea? Somebody call the politicians for help!

> That is it: it doesn't matter to the regular Joe. At all.

That's what we're arguing about, isn't it?

> Because it was made first priority by throwing it into his face as the first experience when visiting a new website by this insane regulation.

I struggle to see how you go from what is the first thing you see, to what is the most important thing.

> Are you really equating cookie tracking with bathroom privacy?!

I am not. I am failing to understand why you think tracking is unproblematic. I'm probing to see at what point you do get concerned about invasion of privacy.

> Even then, I am not sure if there are laws protecting my bathroom privacy

Yeah? Try putting a camera in a bathroom that's not yours.

> but if there were I am sure they don't require me so sign some sort of waiver every time I take a dump in my own damn house!

Nor does a properly implemented, conformant GDPR dialog.

> Well now I can sleep so much better. I was quite worried about those awful trackers and their... tracking habits.

I do understand that you don't care that you're being tracked. That's fine. Carry on. I do not accept your premise that nobody cares. You are not the only person in society. If you are not in a wheelchair, I'm sure you don't personally need wheelchair ramps. Are you angry about those being mandated too?

> Good thing those Brussels bureaucrats,

I should have brought out my bingo board. I already have two items. What's the problem with bureaucrats? What's the problem with their location? Have you been swallowing too much UKIP rhetoric?

What? Being tracked and analyzed in unknown ways without your concent seems very serious. The fact you got used to it doesn't make it less serious. Would you accept people following you around all day taking notes? I'd guess not, so what's the difference with web tracking?

GDPR is good, the sites are doing their best to make the GDPR experience bad to encourage the existence of people with your opinion. It doesn't have to be that way, and hopefully the regulator will use its teeth and make companies using obvious dark patterns pay for their infringements.

> Being tracked and analyzed in unknown ways without your consent seems very serious.

Really?! What is the worst thing that can happen? What exactly is the danger here?

> Would you accept people following you around all day taking notes?

While I browse the web? Sure, why not. I would certainly worry if it was the government doing it, since the government usually has nefarious reasons, but a private party... go straight ahead.

That doesn't mean I can't take my own measures if and when I want my privacy, but that is MY choice. Not an idiotic law "protecting me" against my own will.

Presumably you live in a democratic nation with a strong constitution, respect for law and order, lack of discrimination, and where freedom of speech is a non-negotiable absolute.

Further, I assume your country has a strong army and/or is separated from any would-be invaders by tall mountains, deep oceans, or both.

In that case, probably the worst thing you need to worry about is some level of power imbalance when negotiating with large companies over insurance rates, real estate, or credit.

So, you know how some places have these oddly specific laws based on some of something that happened there? Well, a lot of places in the EU have had some Interesting experiences with people being tracked and analyzed in unknown ways. Hence the laws against it.

I live in the EU, but not in one of the countries from your first two paragraphs.

So, I really wonder about those "interesting experiences" with people tracked and analyzed and how being tracked gives me a power imbalance with large companies?!

All I got from being tracked so far was repetitive ads for the same stuff I just purchased on Amazon. Dumb.

In eastern Europe, the original people doing the tracking and analyzing were your favorite local secret police of course. (take your pick, and I'm sure we can google some examples). I'm pretty sure they'd be quite jealous of some of the modern advertising companies.

That said, even if you're in a west European country with a long and proud democratic tradition (like -say- the Netherlands); you can find examples of people accidentally revealing information about themselves in a census (to wit: religious affiliation) thinking What Could Possibly Go Wrong? Well, the neighbors invaded, demanded the census data, and then hauled off everyone with the Wrong Affiliation to be worked to death and/or gassed. Again, you can imagine it would have been much easier for them if they could have just raided Facebook's offices; but fortunately Facebook didn't yet exist back then.

But even if you have a stalwart democracy surrounded on all sides by the sea, you can still get in trouble if discrimination is rife. See for instance the case of Alan Turing, a man who helped Great Britain shorten WWII by at least a year, and saved many lives. However, people found out his sexual orientation, and he ended up being driven to suicide. One could eg. imagine using Mr. Turing's social graph (derived from advertising/tracking/location/phone metadata) to track down further people to arrest. It should also be somewhat easy to guess someone's orientation based on what sites they visit, for instance.

I did say a couple posts above that if the government is doing the tracking - then yeah, I would be worried.

But if I had something (just or unjust) to hide, I would certainly not rely on a government regulation to protect me. I would simply not trust it and I would use my own methods of protection.

Finally, you presented me with a few valid historical cases which I am not sure are even close: none of them involved a private company tracking people and ending up in tragedy.

I would've waited until I had at least such a case before banning the practice altogether. And I would've also considered the cost of my boneheaded regulation: the cost to implement it (billions) and the cost to abide to it when encountering every f-ing day on each new website: thousands of man-lives wasted.

Well, if someone holds the information, among other things, governments will make laws to be able to get at said information. Or they just send intelligence agencies in to go after it in the first place. If you've ever seen any presentations or news articles about/by Ed Snowden for instance, you'll know to what lengths even a solid democratic government like the USA might go to.

And, you're right. Though previously tracking has only ever caused death/injury/severe_national_embarrassment when the data has been obtained by governments, censuses, counties, post offices, phone companies, and possibly social media companies that start with F; so far social media companies that start with Z have not caused any problems that have been reported in the news where I live. We should therefore trust social media companies that start with Z, because they have a flawless track record.

I think the issue here is the law, but malicious compliance to that law. Which is bad.

The web should not be an ad marketplace that just happens to have content. The favoured rhetoric of the giant corps is that ads pay for the free content, which is balderdash. It's because these gigantic websites are little more than platforms sucking the air out of the web. You and I produce and consume the actual content. We can't allow middlemen to hold us hostage because they want more ad revenue.

Its a bit ironic that the very website the article is on is itself a pretty bad example of this.
This has been my view from the beginning of GDPR. People were complaining that it wasn't having an immediate effect, but governments and law take time, which is generally a good thing in most cases because moving fast and breaking things when you're a government or a legal system can be catastrophic. But once the full weight of the law is put behind things like cookie consent (I often think of these things like the length of time it takes for a supertanker to change course) it will absolutely impose itself.

Also, for those here pointing out the Techcrunch cookie notice, for all the cognitive dissonance that entails (and at least they're reporting it!) I would argue that this is due to sites not wanting to be at a competitive disadvantage. If / when this is properly enforced and the initial squealing from companies is over, they'll generally be OK with it as long as everyone has to comply.

For people who do not deem browser cookies a grave threat to their welfare, there is https://www.i-dont-care-about-cookies.eu/, a very practical browser extension that mitigates most effects of this abysmal law. It's nearly as helpful as adblock these days, if not more, since few ads are as obtrusive as the cookie popups.
My main browser (Vivaldi) is set to block cookies unless a site is whitelisted. When a site like TechCrunch plays fast and loose with the rules, I open it in Firefox, then erase all cookies using the "Forget" button (I wish it were even easier like the Firefox Focus app on iOS).

Trusting a site to comply is a fool's errand, but I applaud NOYB's efforts to enforce GDPR against dark patterns. The EU has also learned its lessons from the Ireland DPC's willful obstruction and the ePrivacy directive is likely to be enforced centrally, not by national authorities with conflicts of interest like Ireland's.

Finally, it is not enough to have the firms discontinue the dark patterns. They must also be forced to delete all the data collected, with auditors sent at their expense to verify this has been done. That in itself would be a much better deterrent than the fines themselves.

The most annoying (and ironical) aspect of cookie consent banners is that websites don't remember your consent choices if you're using a browser setting that doesn't store cookies (say incognito mode). Moreover most websites use consent banners for all website visitors (regardless of whether they are in the EU or not), making the web unusable for everyone in the world.

Thanks, EU.

i just close the website with shady popups, it is that simple now