People who press on cookie banners anything except “agree” – why do you do that?
Some websites might require you to go through the jungle of odd choices about which cookies are acceptable and which are not. It's so similar to Italian strike (aka "work-to rule"). Imagine regular people who are forced to chose between the strange and even strangier. What can they choose but "agree to everything" or look at some gray text through a gray overlay?
There are definitely people in the HN crowd who can understand the different options offered by cookie banners. I have an example of this product of thought, maybe not the best, but good enough to demonstrate what the jungle is [1], so if at least one person in the whole world uses this option - share your answers:
1. What will you do on your next visit if your browser forgets the cookie - click again, right?
2. On which websites do you use these custom cookies, maybe you know something about some special websites?
3. Do you know about some instruments like DO-NOT-TRACK but for cookie banners? Adblock or adblock-like extentions IMO miss the point of doing the conscious decision.
4. If you are such an advanced user of cookie-banners then it is natural for you to think they are somewhat useful for you - what are the advantages of this?
[1] https://www.hull.ac.uk/
264 comments
[ 5.8 ms ] story [ 351 ms ] threadTo reclaim screen space. To provide a data point that I don't want to be tracked. To stop auto-playing videos that distract me.
No, they're asking for consent to track because the EU demanded it. The easiest way to avoid having a banner on your site is to... just not have an analytics package on your site. They're aggressive because they don't want their data spigot turned off - hence the work-to-rule nonsense. You should not infer any benevolence on the part of the people implementing these banners.
My personal habit is to always click whatever option denies the most amount of tracking, mostly because I can.
A cookie that saves, for instance, a preference may not be considered essential but a "Functional Cookie" that adds extra features, because your app is usable without it, and then you do need permission for it.
If you are setting the cookie in direct response to a user initiated action, for functionality, that doesn't require consent.
[1] https://ico.org.uk/for-organisations/guide-to-pecr/guidance-...
Now, there was a different directive preceeding the GDPR that tried to address the rampant abuse of cookies for tracking by regulating cookies directly. The intention of that directive was good, but the implementation really bad. I think this is where this distinction comes from. I don't think I've seen a case where someone who was not doing blatantly shady things with cookies got into trouble with that directive, though.
It doesn't have to be obnoxious either - if you have a preferences page, you could add something like "we'll save these preferences in a cookie on your computer, okay?"
Personally, I think that despite seemingly good intentions, this common practice is counterintuitively harming user-privacy and security, especially on mobile where the banners take up a large chunk of the screen.
Many normal people get something like "banner-blindness": they are so used to seeing banners requesting confirmation when they visit a website that they by default click any random buttons they see to try and hide them right away without reading what is requested.
This practice doesn't really help anybody, IMO, and should probably be handled on the browser-level if people care about it.
No idea why it turned into this cookie banner nonsense.
The EU then passed a bill that said you can't collect data unless it's for one of six reasons, one of which is "user consent". This basically mandated opt-in, so everyone went super-aggressive on consent banners (which, BTW, are probably illegal).
> Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Which is why I suspect almost all "cookie banners" are worthless. They don't give a clear, informed consent, so the site operator is still not allowed to use the data for anything at all.
0: https://gdpr.eu/article-4-definitions/
It's ridiculous that Microsoft's response wasn't to just nuke trackers from space with some kind of adware blocker integration in Edge. This is the equivalent of a mugger saying he'll only honour your "do no mug" sign if the sign defaults to "mug me please" and has to be explicitly changed.
1. telemetry, for diagnostics and health monitoring
2. usage analysis, for program improvement and personalization
3. content analysis, for advertising and marketing purposes
Windows requires kind 1 and encourages kind 2*. Type 3 does not really apply, though, as I don't see Windows sniffing what I write in my text files so that I'm shown relevant ads later.
It's all explained here: https://privacy.microsoft.com/en-us/data-collection-windows
* Also note that the Customer Experience Improvement Program has been with us since Windows 7. Same thing, just not perceived as badly as Windows 10.
(There's even 0), data collected for functional purposes like 2FA. Multiple companies have taken data straight from 0 to 3 once they see the possible revenue.)
Note how most ad blocking tech is either community-run FOSS projects or companies with not-so-savory business practices. It's really not the kind of work that browser vendors want to do. In fact, Apple went out of their way to create an extension type purely for delivering ad block lists to Safari all the way back in iOS 9. Ad blocking is that much of a pain that even Apple was willing to farm it out to third parties years before we got proper mobile extension support.
Occasionally, browser vendors get lucky, and there's a tracker type that's "easy enough" to kill. Things like third-party cookies would be one of them - but even then this required a huge amount of testing to avoid breaking apps that relied on them for authentication.
The only reason why ad block even works is because ad companies are incredibly paranoid and don't trust each other. The standard way to do display ads is to embed each other's `<iframe>`s or JS, which gives ad blockers a nice easy target to hit. Platforms like Facebook or Twitter that are trusted to do their own ad delivery and thus don't hotlink subresources are far harder to block. They can change how ads are styled basically every hour if they wanted, which would make any kind of rule-based ad blocking ineffective. If every ad platform did this, ad block as we know it would be dead.
Why do you think they have good intentions?
Many of these banners employ some pretty slick dark patterns for you to opt-in to their most critical analytics. One of my favorites is when cookie selection is more than one click from the banner, or it causes a page reload.
It's a valid critique, so here goes: how would you implement it to avoid those?
I’d probably prefer more for the advertising industry to die a fast death, but I doubt that will ever happen.
The net result of VATMOSS, GDPR and cookie banners was that a ton of small businesses decided not to bother with a website and moved to being FB only or Amazon only.
Some of the original Chrome browser team have followed this line of thought:
https://neeva.com/blog/introducing-cookie-cutter-by-neeva-a-...
Given that you can completely block cookies and other tracking in the browser, why on earth did they bother? I despise bureaucrats writing laws when they don't understand technology.
Yes, we can play the tracker-removal cat-and-mouse game, but that involves a lot of time and effort, projected forever. This battle is going to be won by whoever has the most time and money to waste, and, spoiler alert: it's not the adblock vendors. It's Google.
In the specific case of cookies, you need those to authenticate to web services, so you can't just block all of them. Instead you need to delicately allow or deny every cookie based on if it's purpose is holding a login token or tracking a user. In fact, sometimes it's both.
Strictly speaking, if I log into Facebook, that shouldn't be considered consent to track. But right now, that's how it works. You know all those "login with Facebook" buttons all over the web? Those give Facebook third-party tracking capability. There is no browser extension in the world that will allow you to login with Facebook without also telling Facebook what site you were logging into. You need a law to force Facebook to split-brain themselves and silo off that data from their advertising operations.
Yeah, sure. "Just don't use Login with Facebook". Except every third-party login system has this problem - and there are plenty of smaller companies that absolutely do not want to handle user credentials and require that you use a third-party login service. And given that using smaller providers are the easiest way to get your credentials stolen, it is entirely understandable and advisable that they not roll their own authentication.
Furthermore, most users are not at all aware of all the technical stuff I mentioned above - and they shouldn't have to be in order to have privacy.
Having a well-written law is a lot easier: you just tell Facebook, "no, really, if you use your login service to track people we're going to fine you". Corporations react to (sufficiently large) fines a lot more favorably than technical restrictions or circumvention. "Don't be evil" is a way bigger guarantee than "can't be evil".
One the ads are more relevant.
Two because the ads are more relevant the advertiser makes far more money on them and therefore doesn't have to show you as many to fund their service.
For example, showing you unlikely or imagined bike-related problems, to sell you useless protection gear or insurance after you get your bike. Showing you ads for motorcycles, because although you probably don't want one, someone who already likes bikes is more likely to buy a (more expensive) motorcycle, so that's where they'll direct their spam.
Targeted advertising is about manipulation, using knowledge of the customer to change their behavior. No one is going through those efforts to show you what you already want and save you a quick Google.
The ENTIRE POINT of an ad is manipulation. Advertisers wouldn't bother if people always ignored ads.
But also, much of ads are scams, and the targetting helps the scammers find susceptible targets
Problem solved, am I right? ;)
Assuming people would just log less was hopelessly naive (especially given that apache defaults already do enough logging to run afoul of the GDPR).
Apache logs for example do not run afoul of GDPR unless you:
A) process them. (Correlate them with further identification)
B) sell them.
C) do nothing to secure them.
Regardless. The law does have conditions for these cookie banners. Namely that if you do not present an easy 2 click opt out then you’re in violation. Many people are in violation in what I feel is an attempt at a sort of civil disobedience. “They can’t prosecute us if we all do it” mentality.
And that's the default for collection of Apache logs.
Law depending on the opinion of lawyers is “useful”.
If anyone wants to attempt to prosecute me for storing Apache logs then I’m happy to defend it in court. GDPR isn’t the boogeyman unless you’re selling data. I’m quite certain there are sympathetic judges to that end. Logs are necessary and even in some cases legally mandatory.
I would talk to your lawyer.
My lawyer's great, but he won't be paying the fine if he's wrong.
You aren't going to get the maximum fine unless you are doing something egregious. Collecting the default Apache logs and not using them for anything malicious isn't going to get you the maximum fine or likely any fine at all.
You would be 99% in the clear if you do nothing. The worst that's likely to happen is that you're forced to adopt a retention policy and delete old logs, and even that is extremely unlikely unless you are Google/Facebook scale or are doing something significantly worse than industry standards.
You can also hire oricate security to stop stalkers, and yet stalking is illegal
You can have cookies without consent.
Tracking requires consent even if it doesn't use cookies.
You can block some tracking in the browser, but server-side tracking generally can't be blocked.
GDPR cares about whether you are tracking, not about the means you use to accomplish it.
Likewise, except:
* If for any reason I can't easily deny all the unnecessary stuff (eg. there isn't a way or they have something like the Daily Mail where to disable all the "legitimate interest" you have to click literally hundreds of individual boxes) I don't click anything and leave the site immediately.
* I don't do it because I can. I do it because by clicking OK I would be explicitly consenting to being tracked and I don't want to be tracked. The content is pretty much never worth it. ("It" being falsely telling people I'm fine with being tracked. I'm perfectly aware it will happen anyway.)
They have been well-advised by their lawyers. Anything else is just a bomb waiting to explode on you.
GDPR fundamentally changes the default of whether tracking is allowed to occur or not. If a user browses the web automatically blocking (just deleting/blocking the element, not automatically clicking accept) every consent pop-up, the website is not allowed to track them nor is it allowed to block the user from using the website.
If you had such a browser extension, and if websites were actually conforming to the law, all EU users could browse the web without ever seeing any popup and without ever getting tracked.
Works brilliantly :).
What if there's back-end only analytics? Does that require a banner?
You only need consent if there is absolutely no reason for you to have that data. Consent is the emergency hatch, only to be used in exceptional circumstances.
"But what gives?!", I hear you think. As a law professor said (roughly): it was truly amazing to see how an entire industry colluded so swiftly and completely to undermine legislation.
Also no.
There are specific acceptable reasons to have the data. LI is a weak one and does not apply in many situations (there are a lot of balancing factors applied, including a "reasonable person" standard on the data subject). As you say, consent is a very strong one, if received it can virtually always apply. The ones in-between only apply in limited situations genuinely necessary for business (company management of employee data, addresses of customers you need to ship to) or to a small set of companies (hospital management of health data, AML/KYC for banks), and rarely to general web / app analytics.
"I would like that data to serve ads better" (or "to sell to someone who wants to serve ads better") is not "absolutely no reason", but it is also rarely one of the other reasons. And conversely, even if in some case if you have a legitimate business interest i.e. would go bankrupt without it, it is not LI in the sense of GDPR if it cannot meet other factors. The modern adtech ecosystem more or less requires "consent-strength" allowances.
Could you explain this claim? I'm seeing it more often and I wonder if there's something I'm missing.
GDPR Article 6 gives five other legal bases for processing. From my reading, consent is just another basis you can use if the others don't work.
The case for legitimate interest in parsing logs is extremely weak. There are situations where you could claim it but it still must be with a clear purpose. E.g. a Spanish company considering opening a branch in France might collect IPs to make a heatmap of where its French customers are. But they would not be able to use those IPs generally, to the extent e.g. they might be expected to delete the IP and only store aggregated by department.
You also said PII, not PD - note that some PII is sensitive data, which cannot be collected under LI provisions at all.
(This is not legal advice. If you think you can collect personal data with the LI exception, godspeed and I hope you have a good lawyer.)
If you're running a site, it's just safer to ask than to assume that you know your site is not tracking users.
It's a newbie, be nice. They don't get how it works yet.
That'll make it harder for fraud detection to work (the traffic is legitimate, organic traffic after all). If enough people do it, tracking firms that ignore DNT will have garbage datasets or worse.
I've worked on systems for detecting this sort of fraud. Systematically injecting malicious traffic into legitimate click streams would defeat most anti-abuse measures that I've seen.
How will you defend yourself in court? "I didn't do it, I just let somebody else use my machine, yes I knew they were up to no good that was the point, but to my defense I was shown an ad"?
So, their complaint is what, exactly? They tried to run unauthorized code on my machine, it noticed, and forwarded the unauthorized logic/connection/nonce/etc to a honeypot?
This isn't an actual service I plan to build. If someone else does, and prevails in court, rest assured I'll be cheering them on.
It's not even work-to-rule. It's illegal if the button to refuse consent is in any way less obvious than the button to grant it, which it nearly always is.
Notably, OneTrust, which provides a lot of the banner solutions which are illegal gets it right on their own website. So they do know the rules, but they knowingly provide a solution that's illegal.
After I'm done reading I just close the website again.
Some tracking methods will more effectively be able to track you across the boundaries of your "incognito" sessions.
For example, the modern browser has a huge API surface that makes accurate finger printing using tuples of individually only moderately narrowing information possible for as long as you allow it to execute JavaScript.
I wonder if the answer to the problem could be to let those companies to track whatever they want if only all they get is exactly the same fingerprint from every user.
Which means that they calculate there are 21x more people that have a $5k XDR display than use macOS Safari. Which seems... unlikely.
(anyway, tracking via IP address is a pretty accurate way to track across browsers and cookie resets, until you're behind a large NAT / proxy.)
I suspect it's not legally binding when you never clicked agree or deny as well.
If it doesn't try to trick me into accepting things, I sometimes actually consider doing that.
Why don't I just accept them all? No idea. Out of spite? Principles? Because I have too much time? Because my mind is too eager to get distracted with the popup? The fact that the only reason to even show these popups is for the website to do non-essential things that aren't actually in my interest? All of the above? Use of tasteless dark UX patterns doesn't even instill trust in me that these choices are actually respected in any way, to put it lightly.
Remarkable how often that works.
Like those websites that have a banner stating “by using this website you agree to let us track you with cookies”
2. If present I'll click 'Deny', but I'm not hunting it down. Blocking the prompt with an adblocker is my preferred option.
3. Cookie Autodelete is the only sensible way to manage cookies IMHO. Store cookies for webpages you trust, delete all others. Annoyingly there's no official way to tell webpages you don't care.
4. Cookie banners are entirely pointless since I'm fully in control of which cookies I am sharing.
The GDPR covers the intent and processing of the data rather than any specific technical means - it's not limited to cookies. Please see my other comment: https://news.ycombinator.com/item?id=30964163
I'd check your adblock to see if it has a similar ruleset.
As a provider: I don't use cookies. Here's my privacy policy: https://max.io/privacy.html
Thanks for including your own privacy policy. We're starting our own effort and our top line was "we won't make data or the user the product" and were trying to structure something as simple as your policy.
edit: thanks for the thoughtful response, downvoters!
I also think constant lies on TV is a problem. I of course believe somewhat in my own ability to filter through, but at the end of the day, it is reality-distorting when it goes on in large scale and a societal problem!
So your real issue is that people are spending their time and energy on something you don't like
The internet used to have pop ups in the early 2000s, until popup blockers and then the Mozilla browser came. Then we had over a decade of no pop-ups. Then Europe decided to make the internet a worse place by requiring websites to put something that's essentially a pop-up (the cookie notices) on them by law. I've seen enough pop ups in the early 2000s, so no thank you to them today.
I don't understand why Europe decided to make the web a worse place like this, because it's competing with apps, and apps can violate privacy much more than websites afaik
I can protect my privacy myself if I want to, the EU is not helping at all because there are just dark patterns everywhere to make not accepting cookies difficult or inconvenient.
Perhaps, rather than shrugging one's shoulders and saying "well, to hell with you, I've got mine," there are other things we as a functioning society can do. Like standardize how these cookie prompts must be displayed (small, inobtrusive) and standardize a set of accepted behaviors when the user ignores or closes it (reject all non-required).
One reason the EU did this is to bring to light the tracking habits of websites and give some power to the user. Much like Apple did with their do not track me button on IPhone. A lot of people opted to not be tracked but before just didn’t have the option or were oblivious to being tracked to begin with. And trust me being as secretive as possible for tracking is by design. It’s scary the amount of info a website can get from your browser.
Providers made those banners big, annoying, and full of dark patterns because they want you to agree to those cookies. They didn't have to have a bunch of check boxes right next to an "Accept All" button--this was a conscious choice by those providers. You are being targeted by malicious compliance so you dislike the thing that they want gone. This is a sucker's game, and you are falling for the okeydoke.
"Europe" didn't make the Web worse. People who won't stop tracking you because it is worth nanocents to them to do so did, and this is how they're fighting people who are trying to stop them.
> The cookie banners are actually illegal
IANAL but the 2011 cookie law required to notify users about cookies, and banners / popups were at least at that time how websites could do that
If a website doesn't want to annoy you with a cookie banner, they could always opt to not use any non-essential cookies.
There seems to be a pattern that 'Agree' grants access to use tracking cookies and other metric collection. So, I usually either not consent and see what happens, or I 'customize' and for most sites that leaves 'essential' cookies enabled.
Why? Because I don't want to be harassed with targeted ads everywhere I go.
I'm not sure, but I think that companies can legally protect themselves if they have records of people clicking accept.
They can still delete the data of people who don't click. Simple as that.
It is a dark pattern, I think, especially when there is no refuse button.
Spite.
* About 25 percent of the time I load the website in sandbox way —- a container or private mode. The website’s intentions are clear and I don’t trust them.
[0] https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...
[1] https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
[0] https://addons.mozilla.org/en-US/firefox/addon/ekill/
I also use Behind The Overlay Revival[0] for annoying overlays. I just have to click the toolbar button - not even aim at the elements I want to remove.
That said, ekill's grudge mode looks interesting.
And I use Unstick![1][2] which can get rid of annoying fixed headers and footers that chew into your vertical space.
[0] https://addons.mozilla.org/en-US/firefox/addon/behind-the-ov...
[1] https://addons.mozilla.org/en-US/firefox/addon/unstickall/
[2] For some reason though, I always have to click it twice to make it work.
Now, I wonder what does the GDPR and similar legislation say about those, but my uneducated guess is that a user accepting the site's policy regarding user data collection would approve the use of fingerprinting as well (and deleting the cookies would only work partially, privacy-wise).
This is also why there is value in not clicking "accept" even if you already block cookies and/or run in private browsing mode.
I find it worth the trouble to find some way of disagreeing, either via "reject all", or clicking through the various radio-buttons offered and hitting save. It just seems worth the effort.
While I admire the efforts to limit data collection, these privacy/cookie popups are now a plague across the internet, a 'net that had done a brilliant job of getting rid of the first wave of popups in the past that I well remember, along with the relief when they had been banished by sensible browser manufacturers.
Even better than dealing with the privacy banner, I now often just hit "Back" and don't bother reading any articles that are only offered in exchange for collecting my data. It's a good filter, and time saver.
If the site starts getting complicated due to my decision of clicking "Disagree", it signals to me the website doesn't really care about its users and is trying to make me go away. If I don't care much about the content, that's what I do.
Hopefully they're measuring their bounce rate, happy to vote with my feet in those cases.
I usually zap them with uBlock Origin or leave the website if I can't do that.