People who press on cookie banners anything except “agree” – why do you do that?

93 points by eimrine ↗ HN
I am from a generation that is familiar with banners showing dancing Flash animations from the internets of the 00s, usually some boobs and butts on the middle of the screen, and I still remember that pressing [x] or [close] could either close the banner or do it even bigger. So if the cookie banner's overlay is not hard enough, I am comfortable to read a text through the overlay, but it seems way more broken because the owners of that dancing nudes at least realized that they are disturbing people, and those in charge of the cookie banners really believe that they protect the interests of the user, so cookie banners are noticeable agressiver - nude banners never had an overlay and almost never made the content unreadable before paying attention to them.

Some websites might require you to go through the jungle of odd choices about which cookies are acceptable and which are not. It's so similar to Italian strike (aka "work-to rule"). Imagine regular people who are forced to chose between the strange and even strangier. What can they choose but "agree to everything" or look at some gray text through a gray overlay?

There are definitely people in the HN crowd who can understand the different options offered by cookie banners. I have an example of this product of thought, maybe not the best, but good enough to demonstrate what the jungle is [1], so if at least one person in the whole world uses this option - share your answers:

1. What will you do on your next visit if your browser forgets the cookie - click again, right?

2. On which websites do you use these custom cookies, maybe you know something about some special websites?

3. Do you know about some instruments like DO-NOT-TRACK but for cookie banners? Adblock or adblock-like extentions IMO miss the point of doing the conscious decision.

4. If you are such an advanced user of cookie-banners then it is natural for you to think they are somewhat useful for you - what are the advantages of this?

[1] https://www.hull.ac.uk/

264 comments

[ 5.8 ms ] story [ 351 ms ] thread
> why do you do that?

To reclaim screen space. To provide a data point that I don't want to be tracked. To stop auto-playing videos that distract me.

>those in charge of the cookie banners really believe that they protect the interests of the user

No, they're asking for consent to track because the EU demanded it. The easiest way to avoid having a banner on your site is to... just not have an analytics package on your site. They're aggressive because they don't want their data spigot turned off - hence the work-to-rule nonsense. You should not infer any benevolence on the part of the people implementing these banners.

My personal habit is to always click whatever option denies the most amount of tracking, mostly because I can.

Do you know if it is only third-party analytics being called that requires the prompt, or is setting any cookie for the website's use only requiring permission too?
Essential cookies that are necessary for the website to run do not need a permission from the user. For example, if you want to use cookies to save a selection or a language setting, you don't need to ask for permission.
Yep - but to clarify, the cookies must really be NECESSARY - i.e. your site or app would be unusable without the feature they implement.

A cookie that saves, for instance, a preference may not be considered essential but a "Functional Cookie" that adds extra features, because your app is usable without it, and then you do need permission for it.

Well, what does unusable mean? If my app offers a feature and the cookie is necessary for it to work, then it's essential. For example, a cart feature in an ecommerce app. Could you shop without a cart? Sure, still I would consider this cookie essential.
A cart does sound essential, but I guess it's up to a judge to decide. Perhaps you should implement a cookie-less "buy now" option to avoid needing to go before a judge.
Like a session variable?
IANAL, but from my understanding the GDPR itself does not make this distinction. It's okay to store things to implement functionality, like login or shopping baskets. Tracking people is not okay.

Now, there was a different directive preceeding the GDPR that tried to address the rampant abuse of cookies for tracking by regulating cookies directly. The intention of that directive was good, but the implementation really bad. I think this is where this distinction comes from. I don't think I've seen a case where someone who was not doing blatantly shady things with cookies got into trouble with that directive, though.

It doesn't have to be obnoxious either - if you have a preferences page, you could add something like "we'll save these preferences in a cookie on your computer, okay?"

Regular cookies that are required for normal operation (to remember that you are logged in etc), does not require any permissions. But they try to make it seem that way, and they bug you as much as they can to get you to just agree to all cookies. Dark patterns everywhere.
In house analytics and third party analytics are the same for the law. It’s all about user tracking.
> No, they're asking for consent to track because the EU demanded it.

Personally, I think that despite seemingly good intentions, this common practice is counterintuitively harming user-privacy and security, especially on mobile where the banners take up a large chunk of the screen.

Many normal people get something like "banner-blindness": they are so used to seeing banners requesting confirmation when they visit a website that they by default click any random buttons they see to try and hide them right away without reading what is requested.

This practice doesn't really help anybody, IMO, and should probably be handled on the browser-level if people care about it.

On mobile, I often can not even check a box. Rotation sometimes solves the problem. Firefox -noscript always does, if I care that much.
...except for sites that completely stop working when JS is disabled.
Ha! Yes, exactly... it "solves the problem", but not always as desired :^)
I don't understand why they didn't use the Do-Not-Track header. It's perfect: a client sending DNT is explicitly denying consent to any form of tracking before the page is even rendered. The presence of such a header should cause web applications to automatically delete any and all tracking javascript from their pages at the very least.

No idea why it turned into this cookie banner nonsense.

Microsoft pulled an Apple and turned DNT into opt-in. Advertisers were very clear that they would only honor DNT if it people were tracked by default.

The EU then passed a bill that said you can't collect data unless it's for one of six reasons, one of which is "user consent". This basically mandated opt-in, so everyone went super-aggressive on consent banners (which, BTW, are probably illegal).

Consent popups are legal so long as agreeing is not easier than disagreeing. Iow, you cannot make it harder to disagree - which 99.95% of them do.
Also, "consent" has a specific meaning in GDPR, see article 4(11) [0]:

> Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Which is why I suspect almost all "cookie banners" are worthless. They don't give a clear, informed consent, so the site operator is still not allowed to use the data for anything at all.

0: https://gdpr.eu/article-4-definitions/

Seems like a good case for a class action suit. Why hasn't this happened yet?
Because it would have hundreds of millions of people in it.
Revoking consent must also be as easy as consenting. Almost no site does this correctly.
> Advertisers were very clear that they would only honor DNT if it people were tracked by default.

It's ridiculous that Microsoft's response wasn't to just nuke trackers from space with some kind of adware blocker integration in Edge. This is the equivalent of a mugger saying he'll only honour your "do no mug" sign if the sign defaults to "mug me please" and has to be explicitly changed.

Microsoft is part of "them" now though given their direction since Windows 10, so I find that very unlikely.
While you are right that Microsoft loosened their stance with privacy, let's not conflate data collection purposes:

1. telemetry, for diagnostics and health monitoring

2. usage analysis, for program improvement and personalization

3. content analysis, for advertising and marketing purposes

Windows requires kind 1 and encourages kind 2*. Type 3 does not really apply, though, as I don't see Windows sniffing what I write in my text files so that I'm shown relevant ads later.

It's all explained here: https://privacy.microsoft.com/en-us/data-collection-windows

* Also note that the Customer Experience Improvement Program has been with us since Windows 7. Same thing, just not perceived as badly as Windows 10.

Without a law like the GDPR, nothing stops them from using data collected for 1) and 2) for 3). Which they will do once some PM realizes it's worth something.

(There's even 0), data collected for functional purposes like 2FA. Multiple companies have taken data straight from 0 to 3 once they see the possible revenue.)

Ad blocking is not a "nuke trackers from space" button. It's more like piloting a drone fleet to pick out and kill terrorists or insurgents in a not-so-friendly country. It requires lots of work to identify ads and create comprehensive filter rules to block ads, and periodic re-checking to make sure they haven't been broken by the advertising companies.

Note how most ad blocking tech is either community-run FOSS projects or companies with not-so-savory business practices. It's really not the kind of work that browser vendors want to do. In fact, Apple went out of their way to create an extension type purely for delivering ad block lists to Safari all the way back in iOS 9. Ad blocking is that much of a pain that even Apple was willing to farm it out to third parties years before we got proper mobile extension support.

Occasionally, browser vendors get lucky, and there's a tracker type that's "easy enough" to kill. Things like third-party cookies would be one of them - but even then this required a huge amount of testing to avoid breaking apps that relied on them for authentication.

The only reason why ad block even works is because ad companies are incredibly paranoid and don't trust each other. The standard way to do display ads is to embed each other's `<iframe>`s or JS, which gives ad blockers a nice easy target to hit. Platforms like Facebook or Twitter that are trusted to do their own ad delivery and thus don't hotlink subresources are far harder to block. They can change how ads are styled basically every hour if they wanted, which would make any kind of rule-based ad blocking ineffective. If every ad platform did this, ad block as we know it would be dead.

> Personally, I think that despite seemingly good intentions

Why do you think they have good intentions?

Many of these banners employ some pretty slick dark patterns for you to opt-in to their most critical analytics. One of my favorites is when cookie selection is more than one click from the banner, or it causes a page reload.

I've seen a few of those where you reject all and it causes a page reload, hence putting you in a loop where the banner comes back.
I think you're talking about the businesses' motivations and I'm talking about the random EU bureaucrats that imposed the regulations. Despite how skeptical I am of most government interventions, I'd tend to assign benign intentions on the bureaucrats part here as I'd have to guess that they genuinely wanted to do something good. But like any bureaucrats sitting in their ivory towers imposing rules on others, the majority of their rules have unintended consequences, can be taken advantage of, are usually designed by committees that even when well-intentioned produce a mish-mash of inconsistent ideas, etc.
> imposing rules on others, the majority of their rules have unintended consequences, can be taken advantage of, are usually designed by committees

It's a valid critique, so here goes: how would you implement it to avoid those?

Make it part of the browser, not the website.
The "make it part of the browser" argument doesn't work in practice because the GDPR covers the intent and purpose of data collection/processing rather than any specific technical way of collecting or processing said data. Blocking cookies at the browser level doesn't prevent the website from using browser fingerprinting or the information you manually provided (your delivery address to make a purchase for example) in a way you didn't agree with.
I’d really like a way for my browser to tell sites my default preferences, just to reduce browser noise.

I’d probably prefer more for the advertising industry to die a fast death, but I doubt that will ever happen.

The rules are actually fairly sensible: the fact that the banners are deliberately confusing is actually illegal. The issue is that national agencies who enforce the rules (because EU rules are implemented via national laws) aren't enforcing the rules properly.
I agree there is a greater chance they're more stupid than a brick than they're malicious but I wouldn't exclude the idea that internet gatekeeper like Facebook and Google are bribing them to create extra barrier for newcomers to have independent websites.

The net result of VATMOSS, GDPR and cookie banners was that a ton of small businesses decided not to bother with a website and moved to being FB only or Amazon only.

It's a modern variant of the "this site is unsafe, continue using" click through that browsers gave for incorrectly configured SSL before the major browser vendors converged on the conclusion that they should make it actively hard to pass through insufficiently-secured SSL configuration because users would just click okay on the spooky dialog.
>No, they're asking for consent to track because the EU demanded it.

Given that you can completely block cookies and other tracking in the browser, why on earth did they bother? I despise bureaucrats writing laws when they don't understand technology.

On other hand there could be an extension that sends tracking history and everything else to everyone. If you really want to share that information.
Because cookies are useful functionality that should be used in our best interests, not to pad some corporation's bottom line via surveillance capitalism. We shouldn't have to block cookies or anything, they're the ones who have to stop creating software that is essentially malware.
I despise engineers writing code when they don't understand laws.

Yes, we can play the tracker-removal cat-and-mouse game, but that involves a lot of time and effort, projected forever. This battle is going to be won by whoever has the most time and money to waste, and, spoiler alert: it's not the adblock vendors. It's Google.

In the specific case of cookies, you need those to authenticate to web services, so you can't just block all of them. Instead you need to delicately allow or deny every cookie based on if it's purpose is holding a login token or tracking a user. In fact, sometimes it's both.

Strictly speaking, if I log into Facebook, that shouldn't be considered consent to track. But right now, that's how it works. You know all those "login with Facebook" buttons all over the web? Those give Facebook third-party tracking capability. There is no browser extension in the world that will allow you to login with Facebook without also telling Facebook what site you were logging into. You need a law to force Facebook to split-brain themselves and silo off that data from their advertising operations.

Yeah, sure. "Just don't use Login with Facebook". Except every third-party login system has this problem - and there are plenty of smaller companies that absolutely do not want to handle user credentials and require that you use a third-party login service. And given that using smaller providers are the easiest way to get your credentials stolen, it is entirely understandable and advisable that they not roll their own authentication.

Furthermore, most users are not at all aware of all the technical stuff I mentioned above - and they shouldn't have to be in order to have privacy.

Having a well-written law is a lot easier: you just tell Facebook, "no, really, if you use your login service to track people we're going to fine you". Corporations react to (sufficiently large) fines a lot more favorably than technical restrictions or circumvention. "Don't be evil" is a way bigger guarantee than "can't be evil".

Preach! What we ultimately need is just a law that says it is illegal for companies to collect or store any data for marketing purposes, tracking, or resale. No opt ins, no exceptions. Unfortunately we can't fully kill targeted or unsolicited advertising at the root because of freedom of speech issues, but we can eliminate all the data it depends on.
why do you dislike targeted advertising?
I really don't mind targeted advertising.

One the ads are more relevant.

Two because the ads are more relevant the advertiser makes far more money on them and therefore doesn't have to show you as many to fund their service.

I think it's less the targeted advertising, and more like I can't take 5 internet steps today without 40 people shouting at me to buy their diapers because my partner googled "diapers" last night.
People see "targeted advertising" as "I was thinking about buying a bike and it shows me ads for bikes", ie. it's showing me what I want to see. That is not targeted advertising. Targeted advertising is showing you what they want you to see when they want you to see it, or showing you the same products in a light that makes you more likely to buy them.

For example, showing you unlikely or imagined bike-related problems, to sell you useless protection gear or insurance after you get your bike. Showing you ads for motorcycles, because although you probably don't want one, someone who already likes bikes is more likely to buy a (more expensive) motorcycle, so that's where they'll direct their spam.

Targeted advertising is about manipulation, using knowledge of the customer to change their behavior. No one is going through those efforts to show you what you already want and save you a quick Google.

you have quite a low view of people's ability to make decisions for themselves if you think being shown ads is manipulation. And I struggle to see how targeted ads are somehow worse than the same sort of 'manipulation' inherent in using an algorithmic feed like HackerNews or Twitter. Both are exposing you to things they want you to see. Yet you don't seem to have such strong opposition to those as you do targeted ads.
> you have quite a low view of people's ability to make decisions for themselves if you think being shown ads is manipulation.

The ENTIRE POINT of an ad is manipulation. Advertisers wouldn't bother if people always ignored ads.

Generally the ads that are targetting me are unrelated to things that I want.

But also, much of ads are scams, and the targetting helps the scammers find susceptible targets

Fortunately, we have replaced the tracker removal cat and mouse game with a consent banner cat and mouse game, projected forever.

Problem solved, am I right? ;)

Well, yes, law enforcement in general is a cat-and-mouse game. That doesn't mean we shouldn't have any laws.
I 100% agree, but I feel like the proliferation of consent banners was predictable and if people didn't want it, the law should have initially accounted for it.

Assuming people would just log less was hopelessly naive (especially given that apache defaults already do enough logging to run afoul of the GDPR).

A lot of GDPR is (intentionally) misrepresented.

Apache logs for example do not run afoul of GDPR unless you:

A) process them. (Correlate them with further identification)

B) sell them.

C) do nothing to secure them.

Regardless. The law does have conditions for these cookie banners. Namely that if you do not present an easy 2 click opt out then you’re in violation. Many people are in violation in what I feel is an attempt at a sort of civil disobedience. “They can’t prosecute us if we all do it” mentality.

I'm not sure a lawyer would agree with your assessment of the Apache logs. If they aren't actively being used to maintain site health, the mere collection of private IPs is enough to make them unnecessary private information.

And that's the default for collection of Apache logs.

I guess it varies depending on the lawyer, mine agrees with my interpretation.

Law depending on the opinion of lawyers is “useful”.

If anyone wants to attempt to prosecute me for storing Apache logs then I’m happy to defend it in court. GDPR isn’t the boogeyman unless you’re selling data. I’m quite certain there are sympathetic judges to that end. Logs are necessary and even in some cases legally mandatory.

I would talk to your lawyer.

With a 20 million euro minimum fine on the table, I don't think I'll feel comfortable on this topic until either the law is clarified or someone sets precedent.

My lawyer's great, but he won't be paying the fine if he's wrong.

$20 million isn't the minimum fine. That's the maximum fine for companies with under $500 million in annual turnover.

You aren't going to get the maximum fine unless you are doing something egregious. Collecting the default Apache logs and not using them for anything malicious isn't going to get you the maximum fine or likely any fine at all.

You would be 100% in the clear on that as long as you apply a reasonable retention policy to your logs. Keeping them forever isn't reasonable. Keeping them for a year almost certainly is.

You would be 99% in the clear if you do nothing. The worst that's likely to happen is that you're forced to adopt a retention policy and delete old logs, and even that is extremely unlikely unless you are Google/Facebook scale or are doing something significantly worse than industry standards.

"Given that you can completely block cookies"

You can also hire oricate security to stop stalkers, and yet stalking is illegal

Because GDPR has nothing to do with cookies.

You can have cookies without consent.

Tracking requires consent even if it doesn't use cookies.

You can block some tracking in the browser, but server-side tracking generally can't be blocked.

GDPR cares about whether you are tracking, not about the means you use to accomplish it.

> My personal habit is to always click whatever option denies the most amount of tracking, mostly because I can.

Likewise, except:

* If for any reason I can't easily deny all the unnecessary stuff (eg. there isn't a way or they have something like the Daily Mail where to disable all the "legitimate interest" you have to click literally hundreds of individual boxes) I don't click anything and leave the site immediately.

* I don't do it because I can. I do it because by clicking OK I would be explicitly consenting to being tracked and I don't want to be tracked. The content is pretty much never worth it. ("It" being falsely telling people I'm fine with being tracked. I'm perfectly aware it will happen anyway.)

Those consent boxes are nowadays used to blanket consent to things like telemarketing. I would never tell anyone to click agree on anything they haven’t thoroughly read, except proprietary software EULAs.
At least in the EU most sites seem to automatically disable nonessential cookies if you don't click Accept. The American equivalents all force you to manually uncheck everything
> At least in the EU most sites seem to automatically disable nonessential cookies if you don't click Accept.

They have been well-advised by their lawyers. Anything else is just a bomb waiting to explode on you.

And if someone wrote a browser extension that hides those popups (or makes them scrollable instead of sticky), the user would not need to do anything to reject cookies.
Exactly. This is an absolute key point I find most people miss in these discussions.

GDPR fundamentally changes the default of whether tracking is allowed to occur or not. If a user browses the web automatically blocking (just deleting/blocking the element, not automatically clicking accept) every consent pop-up, the website is not allowed to track them nor is it allowed to block the user from using the website.

If you had such a browser extension, and if websites were actually conforming to the law, all EU users could browse the web without ever seeing any popup and without ever getting tracked.

> The easiest way to avoid having a banner on your site is to... just not have an analytics package on your site.

What if there's back-end only analytics? Does that require a banner?

(comment deleted)
If you're storing personal data, you need consent. A banner would be the least intrusive way to do that. (If your backend analytics don't store a cookie and don't store IPs, you may not be storing personal data to begin with.)
No.

You only need consent if there is absolutely no reason for you to have that data. Consent is the emergency hatch, only to be used in exceptional circumstances.

"But what gives?!", I hear you think. As a law professor said (roughly): it was truly amazing to see how an entire industry colluded so swiftly and completely to undermine legislation.

(comment deleted)
> You only need consent if there is absolutely no reason for you to have that data.

Also no.

There are specific acceptable reasons to have the data. LI is a weak one and does not apply in many situations (there are a lot of balancing factors applied, including a "reasonable person" standard on the data subject). As you say, consent is a very strong one, if received it can virtually always apply. The ones in-between only apply in limited situations genuinely necessary for business (company management of employee data, addresses of customers you need to ship to) or to a small set of companies (hospital management of health data, AML/KYC for banks), and rarely to general web / app analytics.

"I would like that data to serve ads better" (or "to sell to someone who wants to serve ads better") is not "absolutely no reason", but it is also rarely one of the other reasons. And conversely, even if in some case if you have a legitimate business interest i.e. would go bankrupt without it, it is not LI in the sense of GDPR if it cannot meet other factors. The modern adtech ecosystem more or less requires "consent-strength" allowances.

> If you're storing personal data, you need consent.

Could you explain this claim? I'm seeing it more often and I wonder if there's something I'm missing.

GDPR Article 6 gives five other legal bases for processing. From my reading, consent is just another basis you can use if the others don't work.

In the context of backend analytics, it is difficult-to-impossible for any of those others to apply. The point is that FE vs. BE, cookie vs. no cookie isn’t really what matters. What data you collect and why is what matters.
My understanding; ip adresses are considered personal information. You are allowed to store them in your log for security purposes, without consent (legitimate interest). But if you use that log for analytics, you need consent.
Are you sure about this? Parsing the logs stored for legitimate interest and then aggregating from that data for another purpose without storing PII seems to me like fair game.
You can't process personal data "for legitimate interest" per se. This is the biggest lie the adtech industry keeps telling themselves. The LI exception is that you can process personal data to do X with fewer restrictions, if you have a legitimate interest in X. For example, all companies have a legitimate interest in certain employee data e.g. legal names / tax identification. More complex, if you run an insurance company, you have some legitimate interest in a broad swath of your customer's demographic data.

The case for legitimate interest in parsing logs is extremely weak. There are situations where you could claim it but it still must be with a clear purpose. E.g. a Spanish company considering opening a branch in France might collect IPs to make a heatmap of where its French customers are. But they would not be able to use those IPs generally, to the extent e.g. they might be expected to delete the IP and only store aggregated by department.

You also said PII, not PD - note that some PII is sensitive data, which cannot be collected under LI provisions at all.

(This is not legal advice. If you think you can collect personal data with the LI exception, godspeed and I hope you have a good lawyer.)

Keeping in mind, of course, that Apache access logging in its default configuration probably counts as "an analytics package."

If you're running a site, it's just safer to ask than to assume that you know your site is not tracking users.

At this point, I'd be happy with a service that has my browser send a "do not track" header on each request, and also open a proxy connection to a black hat server each time the page decided to make a request to a known tracking domain.
A "black hat server"?
Someone is trying to convey that a plugin should report sites that are detected ignoring DNT to ne'er'do'wells to invite horrible things to happen to them.

It's a newbie, be nice. They don't get how it works yet.

Not a newbie. Let 'em use a MiB or so from my legimate browsing session with legitimate IP to perpetrate click fraud or auction fraud or whatever.

That'll make it harder for fraud detection to work (the traffic is legitimate, organic traffic after all). If enough people do it, tracking firms that ignore DNT will have garbage datasets or worse.

I've worked on systems for detecting this sort of fraud. Systematically injecting malicious traffic into legitimate click streams would defeat most anti-abuse measures that I've seen.

You want to let people commit whatever fraud they want using your computer? Knowingly?

How will you defend yourself in court? "I didn't do it, I just let somebody else use my machine, yes I knew they were up to no good that was the point, but to my defense I was shown an ad"?

The tracking servers are using my computer without authorization. (The "do not track" header specifically told them so.)

So, their complaint is what, exactly? They tried to run unauthorized code on my machine, it noticed, and forwarded the unauthorized logic/connection/nonce/etc to a honeypot?

This isn't an actual service I plan to build. If someone else does, and prevails in court, rest assured I'll be cheering them on.

> hence the work-to-rule nonsense

It's not even work-to-rule. It's illegal if the button to refuse consent is in any way less obvious than the button to grant it, which it nearly always is.

Notably, OneTrust, which provides a lot of the banner solutions which are illegal gets it right on their own website. So they do know the rules, but they knowingly provide a solution that's illegal.

It’s an absolute pity that the legislature didn’t require : deny everything : remember my selection : if the same analytics package exists on other sites, remember my g’d selection
If I see a cookie banner on a website, I simply reopen it in an incognito window/tab and click whatever it wants.

After I'm done reading I just close the website again.

I have a bookmarklet to remove stickies, this gets rid of many cookie banners and signup prompts
Want to share your bookmarklet, maybe?
uBlock Origin has a filter list (annoyances?) that gets most of the cookie warnings as well
They could still fingerprint your browser. Agreeing to the prompt doesn’t just mean consenting to the placement of cookies but potentially the combination, re-identification and sale of such data.
This is a good time to remind people that these prompts not only concern cookies (or even all cookies), but any form of non-essential visitor tracking.

Some tracking methods will more effectively be able to track you across the boundaries of your "incognito" sessions.

For example, the modern browser has a huge API surface that makes accurate finger printing using tuples of individually only moderately narrowing information possible for as long as you allow it to execute JavaScript.

I use separate and fresh isolated firefox (running within podman container) to make fingerprinting a bit more difficult, it's still fingerprintable and probably this new fingerprint can be easily associated with the other but I like to imagine I make it more difficult to track me. Every little helps :)
Test it here: https://coveryourtracks.eff.org/ its amazing how unique your surfing is :)
Yep, with this much of information it probably won't be a problem to match two browsers running on same machine. Interestingly my ff session which runs in podman does not reveal most of the best sources of fingerprinting which I can see when running the same test on chromium.

I wonder if the answer to the problem could be to let those companies to track whatever they want if only all they get is exactly the same fingerprint from every user.

I do wonder how accurate that is these days... Like it says that my user agent is significantly more unique than my monitor resolution, but Safari froze the user agent years ago.

Which means that they calculate there are 21x more people that have a $5k XDR display than use macOS Safari. Which seems... unlikely.

(anyway, tracking via IP address is a pretty accurate way to track across browsers and cookie resets, until you're behind a large NAT / proxy.)

A user-agent and IP address alone is enough to track you. The mere fact that you're using a browser with a single-digit marketshare is unique enough.
I choose to accept the required cookies to use the site, not the tracking ones
If they appear to be antagonistically designed, I find myself using ublock origins lightning bolt out of frustrated spite.
This, but with every pop up.

I suspect it's not legally binding when you never clicked agree or deny as well.

The more aggressive and dark-UX the banner is, the more likely I am to spend time figuring out how to reject everything or to just close the tab right away.

If it doesn't try to trick me into accepting things, I sometimes actually consider doing that.

Why don't I just accept them all? No idea. Out of spite? Principles? Because I have too much time? Because my mind is too eager to get distracted with the popup? The fact that the only reason to even show these popups is for the website to do non-essential things that aren't actually in my interest? All of the above? Use of tasteless dark UX patterns doesn't even instill trust in me that these choices are actually respected in any way, to put it lightly.

I do the same every time, except the most complex cases. Them I started to treat as paywalls -- just close the page, I wasn't so interested in this information anyway.
I do right-click -> inspect element and then delete the pop-up element in the browser source viewer thing on chrome. Sometimes I have to find where it says “overflow” and set it to “overflow: visible” or something like that.

Remarkable how often that works.

Yup, that's one of the strategies I sometimes employ as well :)
I do kind of the same in Firefox with ublock origin, making it permanent. "Right click", Block Element". I also added a userContent.css file to my firefox profile, which adds the following style to every page on every website, so I don't have to deal with the overflow shite:

    html, body {
        overflow-y: initial !important;
    }
Firefox has an add-on "nuke anything" where you can just right click on anything on a page and remote it. handles these banners pretty well
If you don’t accept or decline the cookie pop up I’m pretty sure every website treats it as a “yes you can track me”.

Like those websites that have a banner stating “by using this website you agree to let us track you with cookies”

1. Sure. Though in my case this applies to both options, I'm not storing cookies for webpages I don't deliberately want to be remembered by.

2. If present I'll click 'Deny', but I'm not hunting it down. Blocking the prompt with an adblocker is my preferred option.

3. Cookie Autodelete is the only sensible way to manage cookies IMHO. Store cookies for webpages you trust, delete all others. Annoyingly there's no official way to tell webpages you don't care.

4. Cookie banners are entirely pointless since I'm fully in control of which cookies I am sharing.

> Cookie banners are entirely pointless since I'm fully in control of which cookies I am sharing.

The GDPR covers the intent and processing of the data rather than any specific technical means - it's not limited to cookies. Please see my other comment: https://news.ycombinator.com/item?id=30964163

I don't think the GDPR mandates cookie banners at all, but somehow I'm still subjected to them. Most of them don't (explicitly) ask to collect my data, they just ask if they can use cookies.
Using the AdGuard Annoyances filter I rarely see them anymore in the first place.

I'd check your adblock to see if it has a similar ruleset.

Site settings, remove all cookies, then block all cookies.
As a consumer: I hate cookie banners. Ads are a menace to society and the banners are a manifestation of a toddler fighting against the rules by being a total nuisance. When there's something I need from a site, I will always go into the "manage" route and save the disabled cookies. I also use duckduckgo's privacy browser and burn my session often.

As a provider: I don't use cookies. Here's my privacy policy: https://max.io/privacy.html

Fully agree!

Thanks for including your own privacy policy. We're starting our own effort and our top line was "we won't make data or the user the product" and were trying to structure something as simple as your policy.

Upvoted, this viewpoint seriously needs to become the norm, thank you for providing it.
why are ads a menace to society?

edit: thanks for the thoughtful response, downvoters!

normalizes expectation of others inserting ideas in ones head instead of critically assessing concepts with available observations and deriving one's own opinion for starters
why can't consumers critically assess ads the way they critically assess things like this post? what makes ads uniquely menacing?
(comment deleted)
Their sheer volume. Drive into a major city in some country where ads are entirely unregulated. There will be billboards everywhere, impossible to take it all in or critically assess it.
as opposed to the internet, where the content is bounded and manageable? I fail to see how you can square such disdain for ads while taking part in an online forum like hackernews
The voting and moderation system on HN essentially distributes the load of managing & sorting all the information across many people, so that overall the workload is manageable. Most of us wouldn't be browsing HN if it was a free-for-all unmoderated cesspool.
My head has limited capacity. I'm happy to filter out ads. Thankfully, HN doesn't need the filter.

I also think constant lies on TV is a problem. I of course believe somewhat in my own ability to filter through, but at the end of the day, it is reality-distorting when it goes on in large scale and a societal problem!

Most ads have no content that can be subjected to critical assessment. Geico's terrible comedy sketches are not designed to convince you that they have a good product – they're designed to rattle around in your mind and influence you subconsciously. To the extent that they succeed in that, they make people behave less rationally, and are of negative social utility. And if they don't succeed, then they're just a pointless drain on society's money, time, talent, and attention.
I certainly can critically assess Geico's ads - just like you did in your analysis above

So your real issue is that people are spending their time and energy on something you don't like

You can assess their comedic and social value, but you can't assess their argument about car insurance, because there isn't one. They're trying to manipulate how you feel, not convince you of some point. It's like if, rather than making an argument in this comment to convince people of my point, I just said "Lol, imagine being such a corporate beta cuck." Some not-particularly-mature people might be influenced by that statement, perhaps more than by an actual argument, but it would be an inappropriate and underhanded tactic.
Why not use cookies if they are required for functionality? No notice needed for those, too.
I use a plugin called "idontcareaboutcookies" to not see them because I don't want anything requiring interaction just to read stuff anywhere

The internet used to have pop ups in the early 2000s, until popup blockers and then the Mozilla browser came. Then we had over a decade of no pop-ups. Then Europe decided to make the internet a worse place by requiring websites to put something that's essentially a pop-up (the cookie notices) on them by law. I've seen enough pop ups in the early 2000s, so no thank you to them today.

I don't understand why Europe decided to make the web a worse place like this, because it's competing with apps, and apps can violate privacy much more than websites afaik

Completely agree, every website I visit now has an annoying cookie overlay, which requires interaction from the user. Just let me read the damn article! I don't care if you track a single visit to this website which I will never come back to.

I can protect my privacy myself if I want to, the EU is not helping at all because there are just dark patterns everywhere to make not accepting cookies difficult or inconvenient.

"This law should fail because people who want this law to fail are complying maliciously" is one of the more out-there readings of reality I have seen in some time.

Perhaps, rather than shrugging one's shoulders and saying "well, to hell with you, I've got mine," there are other things we as a functioning society can do. Like standardize how these cookie prompts must be displayed (small, inobtrusive) and standardize a set of accepted behaviors when the user ignores or closes it (reject all non-required).

People can be complying maliciously and the law can be bad at the same time. I doubt most people actually thinks the EU struck a good balancing with the current laws.
They don't just track "a single visit", they bind your surfing of this particular site to your global shadow-profile at FB or Google and then sell this data about you to companies purchasing ads (or worse). This kind of data collection of the general public is what the EU's GDPR is designed to protect, and which is why you need to ask consent from your users to track their desires like that and sell their data.
The thing about these cookies and the privacy is that those cookies are accessible by everyone. And some websites can place cross site cookies and continue tracking you in detail just because you clicked that one link on that one website.

One reason the EU did this is to bring to light the tracking habits of websites and give some power to the user. Much like Apple did with their do not track me button on IPhone. A lot of people opted to not be tracked but before just didn’t have the option or were oblivious to being tracked to begin with. And trust me being as secretive as possible for tracking is by design. It’s scary the amount of info a website can get from your browser.

This is a misunderstanding of the situation.

Providers made those banners big, annoying, and full of dark patterns because they want you to agree to those cookies. They didn't have to have a bunch of check boxes right next to an "Accept All" button--this was a conscious choice by those providers. You are being targeted by malicious compliance so you dislike the thing that they want gone. This is a sucker's game, and you are falling for the okeydoke.

"Europe" didn't make the Web worse. People who won't stop tracking you because it is worth nanocents to them to do so did, and this is how they're fighting people who are trying to stop them.

(comment deleted)
Some of us don't give a shit about tracking and are forced to go through all those stupid banners. So yes, I blame the EU. There should be some HTTP header that you could set to say that you accept everything. It's opt-in so the EU bureaucrats should be OK with it.
The GDPR covers the intent and processing of the data rather than any specific technical means - it's not limited to cookies. Please see my other comment for why implementing that in-browser is not feasible: https://news.ycombinator.com/item?id=30964163
What I don't understand is why a food blog run by someone in Kansas has cookie consent popups. You're not in Europe. Large multinational corporations I can understand. But it seems like most websites have these popups now even though most hosting and most content generation occurs somewhere other than the EU.
There's a huge industry around this bullshit that intentionally spreads FUD and misinformation to scare website operators into purchasing their "solution" even though they may not be affected in the first place.
The cookie banners are actually illegal, and, eventually, they might go away when the law catches up with them. You've fallen for advertiser FUD.
Note that those cookie banners are required, and ever-present, in the EU since 2011 or so already (long before GDPR), so that's over a decade, what do you mean by "might go away when law catches up with them"? I'd be happy if they would go away by the way, it just seems very optimistic!

> The cookie banners are actually illegal

IANAL but the 2011 cookie law required to notify users about cookies, and banners / popups were at least at that time how websites could do that

They're probably referring to the common lack of a "reject all" in the banners that came about from the GDPR cookie law.
You can't blame all of today's popovers on cookie regulation, the HEY DO YOU WANT TO SUBSCRIBE TO MY NEWSLETTER????? crowd had them beat by years. At least the cookie banners usually only cover a small part of the bottom of the window and can be ignored if you don't want to interact with them.

If a website doesn't want to annoy you with a cookie banner, they could always opt to not use any non-essential cookies.

(comment deleted)
I simply refuse to press "I accept" as a matter of principle. If the website doesn't have a relatively easy way to refuse all (anything that takes me more than, say, 3-4 clicks), I'll just close it.
I am someone who almost never clicks 'Agree'.

There seems to be a pattern that 'Agree' grants access to use tracking cookies and other metric collection. So, I usually either not consent and see what happens, or I 'customize' and for most sites that leaves 'essential' cookies enabled.

Why? Because I don't want to be harassed with targeted ads everywhere I go.

Because I suspect it is legally binding and that it can be used in court.

I'm not sure, but I think that companies can legally protect themselves if they have records of people clicking accept.

They can still delete the data of people who don't click. Simple as that.

It is a dark pattern, I think, especially when there is no refuse button.

It is against the GDPR if there's no refuse button. The problem is that the regulation has yet to be enforced anywhere near enough so websites can get away with this kind of malicious pseudo-compliance.
> People who press on cookie banners anything except “agree” – why do you do that?

Spite.

I mostly only see these in websites found in a feed, like the Google Now feed on my android phone. If it's annoying enough I just block the website. If I can't trust them to track me then I don't really need to read whatever they are writing.
* 75 percent of the time I leave the website and never return.

* About 25 percent of the time I load the website in sandbox way —- a container or private mode. The website’s intentions are clear and I don’t trust them.

No need to click anything nor be tracked across the web! I Don't Care About Cookies [0] combined with Cookie AutoDelete [1] will hide all cookie consent popups, deny permission/not click if possible, and auto-accept if required to use the site. IDCAC alone will hide all popups, but in cases where you must click accept to browse it will do so invisibly & the cookies will linger. CAD solves this problem by purging everything automatically (except your whitelist) when the tab is closed.

[0] https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...

[1] https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

Ive been using these two in combination for a little while and found it to be a significant improvement to my web experience. I also use the ekill[0] extension to remove annoying flashing elements or banners that wont go away.

[0] https://addons.mozilla.org/en-US/firefox/addon/ekill/

I use the I Don't Care About Cookies and Cookie AutoDelete add-ons too.

I also use Behind The Overlay Revival[0] for annoying overlays. I just have to click the toolbar button - not even aim at the elements I want to remove.

That said, ekill's grudge mode looks interesting.

And I use Unstick![1][2] which can get rid of annoying fixed headers and footers that chew into your vertical space.

[0] https://addons.mozilla.org/en-US/firefox/addon/behind-the-ov...

[1] https://addons.mozilla.org/en-US/firefox/addon/unstickall/

[2] For some reason though, I always have to click it twice to make it work.

(comment deleted)
These banners have made me more aggressive about using DDG browser on phone. I do click “accept” because it’s the fastest path to read whatever article or view whatever picture I came to the site for, then use the DDG flamethrower to destroy everything. It’s a bit of a win-win because I get to read the site without having to figure out the site-specific cookie settings but the site also doesn’t get any of my data.
Many people here seem to forget that cookies aren't the only way to track, and fingerprinting a user is easy without having to use cookies (via UserAgent, IP, canvas data, and a myriad other techniques).

Now, I wonder what does the GDPR and similar legislation say about those, but my uneducated guess is that a user accepting the site's policy regarding user data collection would approve the use of fingerprinting as well (and deleting the cookies would only work partially, privacy-wise).

The GDPR indeed covers fingerprinting and anything data that can be used to identify someone - the idea that these consent forms are specifically about "cookies" is a lie that's being spread by stupidity or malice. See my other comment for more details: https://news.ycombinator.com/item?id=30964163

This is also why there is value in not clicking "accept" even if you already block cookies and/or run in private browsing mode.

We respect your privacy! Please click agree to allow us to disrespect it.

I find it worth the trouble to find some way of disagreeing, either via "reject all", or clicking through the various radio-buttons offered and hitting save. It just seems worth the effort.

While I admire the efforts to limit data collection, these privacy/cookie popups are now a plague across the internet, a 'net that had done a brilliant job of getting rid of the first wave of popups in the past that I well remember, along with the relief when they had been banished by sensible browser manufacturers.

Even better than dealing with the privacy banner, I now often just hit "Back" and don't bother reading any articles that are only offered in exchange for collecting my data. It's a good filter, and time saver.

I click "Disagree" by default, because why would you click agree by default?

If the site starts getting complicated due to my decision of clicking "Disagree", it signals to me the website doesn't really care about its users and is trying to make me go away. If I don't care much about the content, that's what I do.

Hopefully they're measuring their bounce rate, happy to vote with my feet in those cases.

Because it's like signing a contract without reading it's contents.

I usually zap them with uBlock Origin or leave the website if I can't do that.