That's a delightfully "extra" word lol. I can't ever see myself using it unironically or outside of some goofy language game or something. Same way I feel about "reify", its ostensibly useful in a very limited gamut of meaning but you almost never see any native English speaker use it even at the highest levels.
No way?! I stand corrected but also that is hilarious. In fact, I think I have used it like once with regard to the physical basis through which qubits actually reify computation but I don't even know if thatisn't technically gobbledeygook. You can obviously be aware of the spirit of its inquiry but it could also be pretensious nonsense I just don't have a better way to articulate.
Edit: wait: reify or cromulent? The whole spiel wws for reify before I realized cromulent came first lol
The Google Analytics JavaScript (gtag.js, analytics.js) runs on sites using Google Analytics, to share site-usage data (which can be gathered from either consented cookies, or "legitimate interest" exceptions) with Google Analytics.
The EU-mandated cookie box/popup literally lists Google Analytics on sites that use it, and this categorically states you can control refusal of that by using the browser add-on -- which is clearly informed consent, because you can choose not to install it, knowing the data (which could be gathered by other means anyway) will then be passed on to Analytics.
Of course this is for the average non-technical end user, who hasn't -- for example -- already used something like NoScript to block the JavaScript from running in the first place...
The information can be collected anyway under legitimate interest provisions, which is (a) already listed and discussed, and (b) the relevant cookies have their own opt-outs.
The GA add-on is purely about that same data being passed to GA - and the very same cookie pop-up literally tells you what information is sent, why, and tells you how you can opt out (by either blocking the JavaScript, or installing the add-on) -- it literally meets the requirements for informed consent, as you put it, "legally or otherwise."
Might want to go check that out before trying to make baseless claims, "legally or otherwise."
The "information" you speak of vary. Some site plumb everything into GA, some just use it for pageviews. Some send all data, some use their own proxy backend to strip all remotely personal data. For examples of different ways to use it and their varying legalities see recent cases in sweden: https://edpb.europa.eu/news/national-news/2023/imy-orders-cd...
The "legitimate interest provisions" are for certain purposes. You can for example collect IP adresses for providing a service (eg. routing a request) or security (rate limiting to prevent DDoS) or fulfilling a contract or fraud prevention, but you cannot without consent use it for market analysis.
Consent must be given affirmatively:
> Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
The above section also makes any "opt-out" not valid. You can either have opt-in or make opt-in and opt-out equal choices. You cannot only have opt-out. You also cannot provide a service based only on opt-in, in other words you cannot make customers pay with their data.
Yes, I didn't say the information didn't vary - I clearly said sites could gather many metrics depending on cookie consent, and the GA JS only refers to the information you've already given consent to have collected -- but way to miss the point.
I'm aware of what the provisions of "legitimate interest" are, not sure why you're going off like some marketing person fresh off a GDPR 101 course, bro. Chill out, and stop being such a condescending tool.
If the data hasn't been collected in the first place (due to denying cookies for such), there's nothing to pass to GA anyway. You're missing the entire point.
I don't know if you've got a hard-on for attacking Google or genuinely have just finished a Baby's Guide to GDPR and think you're all that, but you're barking up the wrong tree.
Silence doesn't apply, because you have to actively accept or deny cookies in the first place, as well as accepting or denying legitimate interest options. Have you not seen a cookie popup before? These concepts should be obvious to you.
There is no "pre-ticked box" or "inactivity" in this event either, so you're really just grasping at straws to try and justify your attacks.
Try go reading the Swedish case. Firstly, it's about Swedish companies, not Google itself. Secondly, it concerns data transfer to the US, and whether the ECJ deemed the US to have sufficient protections for data (identifiers later deemed to be considered personal, given a lack of sufficient safeguards or anonymisation) at the time of the ruling -- and specifically concerns whether the 4 companies in question did enough to protect that PII. It also concerns how this was handled with boilerplate clauses in said companies' contracts, that weren't up to the provisions required by GDPR.
It's not a declaration that GA is in violation of GDPR, or anything close to that -- it merely concerns how they integrated and used it, and their own mishandling of PII. Additionally, the version of GA in this particular case is over 3 years old, a fact you've conveniently ignored -- like you've similarly ignored that Google has drastically changed how Google Analytics are handling and processing data since then.
It's also worth noting that this was one agency of one country's government audited decisions against how companies implemented and used a service at one time several years ago -- and isn't a declaration of illegality or incompatibility by either the European Commission or the ECJ.
The issue was about how data was transferred to the US, the contractual clauses that were supposedly allowing that, and what protections (or lack thereof) existed for the transfer of this data.
You'd do well to note that the security of this data transfer was during the time of the EU-US Privacy Shield, which the ECJ later declared invalid due to US surveillance concerns.
This isn't an issue with GA specifically -- this is an issue with any US corporation, or entity that is subject to US laws like FISA 702 and the CLOUD act, which can result in companies having to hand information over to US governmental entities. That's not something limited to Analytics, or even Google LLC, or Meta, it's anyone subject to those US provisions.
The fact that you haven't grasped that the issues were the transfers, not GA itself, shows you grossly misunderstand the core issues, and are going off half-cocked, so to speak.
Any tool that collects any personal data or identifiers could violate GDPR if implemented or operated improperly, from analytics to email to a simple website with cookies.
Go read up on the Schrems II ruling that invalidated the EU-US Privacy Shield, and therefore made the data transfers in question illegal -- not the use of GA itself.
If site operators gather data or use tools improperly, or make data transfers that aren't legal, that's what violates GDPR -- as the IMY rulings...
Because if you don't want Google analysing what you do on the internet, of course you're going to trust a Google-supplied add-on to manage that in your interests, and not in Google's.
Not a googler but sometimes the paranoia on this forum is really over the top. Even in the barren privacy wasteland that is the United States you can’t provide a product that is advertised as an opt out mechanism and then make it not do that! Even burying that in the terms of service won’t fly. They would have to just discontinue it.
> Or even remember to check online to find the results of someone else's analysis of every update?
I don't need to, if they changed it then it would go to the top of HN for a day at least. That is much better than some random extension creator that can sell it to a malicious actor at any point, that isn't news so would likely go under my radar.
Just use Brave or install uBlock origin Firefox or other Chromium based browsers. And god forbid do not use Chrome. And make sure you have the Easy-Privacy list active. Brave actually uses the list internally without showing it to the user on the filter list screen.
If you would like to block tracking this way you would need to install thousands of addons for every company/domain/... its a pretty shitty solution. Is Google by law somewhere required to provide this or why is this an actual official extension?
+1 this ^ I have tried FF with ublock and other browsers. But Brave gets it better. Out of the box aggressive blocking and yet the same time providing smooth transaction experience - purchasing, adding to carts, sessions etc are frustration free without fiddling with individual filters. Performance is added bonus. Go Team Brave !!
This is probably an good thing if you're in any situation where you'd want an official, perfectly identifiable entity providing the blocking extension.
For instance this could be easier to convince a school board to introduce this extension than another one with a weird name, made by some gorhill guy they've never heard about.
36 comments
[ 0.57 ms ] story [ 262 ms ] threadEdit: wait: reify or cromulent? The whole spiel wws for reify before I realized cromulent came first lol
The Google Analytics JavaScript (gtag.js, analytics.js) runs on sites using Google Analytics, to share site-usage data (which can be gathered from either consented cookies, or "legitimate interest" exceptions) with Google Analytics.
The EU-mandated cookie box/popup literally lists Google Analytics on sites that use it, and this categorically states you can control refusal of that by using the browser add-on -- which is clearly informed consent, because you can choose not to install it, knowing the data (which could be gathered by other means anyway) will then be passed on to Analytics.
Of course this is for the average non-technical end user, who hasn't -- for example -- already used something like NoScript to block the JavaScript from running in the first place...
I don't even know if you are sarcastic but:
That is not how that works, legally or otherwise.
The GA add-on is purely about that same data being passed to GA - and the very same cookie pop-up literally tells you what information is sent, why, and tells you how you can opt out (by either blocking the JavaScript, or installing the add-on) -- it literally meets the requirements for informed consent, as you put it, "legally or otherwise."
Might want to go check that out before trying to make baseless claims, "legally or otherwise."
The "legitimate interest provisions" are for certain purposes. You can for example collect IP adresses for providing a service (eg. routing a request) or security (rate limiting to prevent DDoS) or fulfilling a contract or fraud prevention, but you cannot without consent use it for market analysis.
Consent must be given affirmatively:
> Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
See here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A... secion 32
The above section also makes any "opt-out" not valid. You can either have opt-in or make opt-in and opt-out equal choices. You cannot only have opt-out. You also cannot provide a service based only on opt-in, in other words you cannot make customers pay with their data.
I'm aware of what the provisions of "legitimate interest" are, not sure why you're going off like some marketing person fresh off a GDPR 101 course, bro. Chill out, and stop being such a condescending tool.
If the data hasn't been collected in the first place (due to denying cookies for such), there's nothing to pass to GA anyway. You're missing the entire point.
I don't know if you've got a hard-on for attacking Google or genuinely have just finished a Baby's Guide to GDPR and think you're all that, but you're barking up the wrong tree.
Silence doesn't apply, because you have to actively accept or deny cookies in the first place, as well as accepting or denying legitimate interest options. Have you not seen a cookie popup before? These concepts should be obvious to you.
There is no "pre-ticked box" or "inactivity" in this event either, so you're really just grasping at straws to try and justify your attacks.
Try go reading the Swedish case. Firstly, it's about Swedish companies, not Google itself. Secondly, it concerns data transfer to the US, and whether the ECJ deemed the US to have sufficient protections for data (identifiers later deemed to be considered personal, given a lack of sufficient safeguards or anonymisation) at the time of the ruling -- and specifically concerns whether the 4 companies in question did enough to protect that PII. It also concerns how this was handled with boilerplate clauses in said companies' contracts, that weren't up to the provisions required by GDPR.
It's not a declaration that GA is in violation of GDPR, or anything close to that -- it merely concerns how they integrated and used it, and their own mishandling of PII. Additionally, the version of GA in this particular case is over 3 years old, a fact you've conveniently ignored -- like you've similarly ignored that Google has drastically changed how Google Analytics are handling and processing data since then.
It's also worth noting that this was one agency of one country's government audited decisions against how companies implemented and used a service at one time several years ago -- and isn't a declaration of illegality or incompatibility by either the European Commission or the ECJ.
The issue was about how data was transferred to the US, the contractual clauses that were supposedly allowing that, and what protections (or lack thereof) existed for the transfer of this data.
You'd do well to note that the security of this data transfer was during the time of the EU-US Privacy Shield, which the ECJ later declared invalid due to US surveillance concerns.
This isn't an issue with GA specifically -- this is an issue with any US corporation, or entity that is subject to US laws like FISA 702 and the CLOUD act, which can result in companies having to hand information over to US governmental entities. That's not something limited to Analytics, or even Google LLC, or Meta, it's anyone subject to those US provisions.
The fact that you haven't grasped that the issues were the transfers, not GA itself, shows you grossly misunderstand the core issues, and are going off half-cocked, so to speak.
Any tool that collects any personal data or identifiers could violate GDPR if implemented or operated improperly, from analytics to email to a simple website with cookies.
Go read up on the Schrems II ruling that invalidated the EU-US Privacy Shield, and therefore made the data transfers in question illegal -- not the use of GA itself.
If site operators gather data or use tools improperly, or make data transfers that aren't legal, that's what violates GDPR -- as the IMY rulings...
Wat?
Are you going to analyze every update? Or even remember to check online to find the results of someone else's analysis of every update?
Or do you trust Google to never change their priorities with regards to how this extension operates?
Google Sued by D.C., States Over Tracking Despite Opt-Outs - https://news.bloomberglaw.com/privacy-and-data-security/goog...
Apple, Google Both Track Mobile Telemetry Data, Despite Users Opting Out - https://threatpost.com/google-apple-track-mobile-opting-out/...
They lie and break the law to profit at your expense and harm you. Treat them accordingly.
I don't need to, if they changed it then it would go to the top of HN for a day at least. That is much better than some random extension creator that can sell it to a malicious actor at any point, that isn't news so would likely go under my radar.
If you would like to block tracking this way you would need to install thousands of addons for every company/domain/... its a pretty shitty solution. Is Google by law somewhere required to provide this or why is this an actual official extension?
See this HN submission: Firefox replaces Google Analytics with fake no-op in strict tracking protection[1].
[1] https://news.ycombinator.com/item?id=26280808
For instance this could be easier to convince a school board to introduce this extension than another one with a weird name, made by some gorhill guy they've never heard about.