Tell HN: I wish “we use cookies” messages could be globally turned off
An irritating notice that websites keep telling me because of some European law I have no interest in.
It's like saying "this website uses HTTP, we do it to get data to and from your browser, click to agree".
Maybe the major web browsers should built a standard warning Javascript alert API in that can be globally turned off.
138 comments
[ 5.2 ms ] story [ 235 ms ] threadit's also super-incompatible with a lot of websites, but I know that going into it.
Had the law required clearly stating what tracking was happening, and which third parties data was being shared with, in a way other than a wall of text privacy policy I'd be right behind it. The law as it stands does nothing but annoy people.
Some people care about privacy, especially when it comes to cookies. You should be upset at the nasty ways companies use them to track people instead of the lawmakers trying to protect citizens' privacy.
https://silktide.com/the-stupid-cookie-law-is-dead-at-last/
http://nocookielaw.com/
Nobody in Europe does either. The whole thing is generally considered completely pointless and unenforceable.
> Rock Paper Shotgun uses cookies. For some reason we are now obliged to notify you of this fact. Not that you care.
after visiting RPS, you'll get cookies from the following additional domains:
This might change depending on location and time of when you visit it.I can see how you might think: "who cares if Google Analytics tracks me? Google already has all my web searches", but it's not that simple... every one of these entities can share information about your visits with any other (search for "cookie matching"), and yet... with a visit to a single (!) website, you're loaded with cookies from 12 external different domains, all of which have the exact same purpose.
Personally, I never cared that much about privacy (or at least, this kind of privacy) but now... if only out of spite... I disable storage of 3rd party cookies in my Firefox.
So it's not only a matter of privacy, but also a matter of respect for the (your) user:
as a videogames site, you can easily (?[1]) provide advertisement targeted only to your main audience (for advertisement metrics and fraud prevention, the advertiser could just use the referrer and ip of the source, at least for a first approximation)... so it's not true that giving up (tracking) cookies would prevent advertisement
OTOH: by including random 3rd party javascript (and not simply static resources like images, css, etc. with their own tracking cookie) you are completely leaving your user to the good faith of these other companies, which are then able to use javascript to load other resources, and so on and so on... reselling your visits to other companies again
Not only is this wasteful and never done according to the explicit will of the user, but since the visits span multiple domains, this is something that not even HTTP2 will be able to help for.
Lastly, I think it's antithetic to the very original purpose of HTTP: HTTP nowadays is used for webapps and plenty of different things, but reading articles, seeing images (and possibly videos, just like on RPS) aligns quite well with the original purpose: downloading and transmitting simple documents or data thereof
Cookies are a way to circumvent the stateless nature of HTTP, but why shouldn't a news site like RPS be stateless? (the exception would be for comments, but that isn't necessarily always true either, and anyhow for that the issue is more nuanced)
[1] I have never done it, but I hope so... I hope that inserting adwords is not the only way
Unfortunately, companies collectively decided that their businessmodel does not need changing at all, and simply implemented a "cookie wall" for all their consumers. This led to consumers, like you, to quickly get "cookie wall fatigue" and try to click 'OK' as soon as possible, without thinking at all.
And all the while, we complain that privacy on the Internet is going to hell, and there is nothing we can do about it, because consumers don't care enough, or have given up...
anyway, I think this is mostly a social and educational failure and shows how much more we need to do before we actually own our own hardware instead of relying on the god will of third parties, which never actually works.
moreover this should have been fixed at browser level, and it already was. anyone caring for privacy already had configured the browser for this stuff; at most people just needed more awareness on what was already available in term of privacy controlling extensions
instead we got retarded regulations which explicitly exclude session, authentication and social cookies so basically does nothing about the real issue - 'oh this is not google analytics, it's google plus tracking you - wink wink' - and data mining proceeds as usual.
Why can't you report it? In the UK, head to the IPO (https://ico.org.uk/concerns/), for example. Other countries have similar bodies.
If you want to have a Remember me checkbox (=writing a cookie with a session id), you'll have to get the user autorization. It effectively protects from nothing, it justs makes more popups in everyones life (yay!).
I think we are living in an era where there is a huge knowledge and perception gap with the people making the laws (At least in Europe). Hopefully this gap will narrow in the next 10-20 years, and things will be shapen more correctly in the future.
If anything, think, just for a second, how much this law has costed the EU, and how many hours has been wasted reading/participating in the law. Of course, it could be one way of stimulating the economy, but I'd like to think it wasn't.
Again, companies are trying very hard to hide this choice, but a tiny result from the study is that you do get this choice.
[X] Remember me (uses a cookie, see _terms_)
That should do, so long as the box is unticked by default.
Also it's pretty easy for any website that wants to track you, to track you using something other than cookies.
No it's not. At least for Firefox, the cookie preferences feature has been neglected for years. It's hidden beyond an increasing number of clicks and has long standing bugs (for instance, my whitelist of sites I allow cookies from is wiped each time Firefox upgrades)
> Also it's pretty easy for any website that wants to track you, to track you using something other than cookies.
The specific law (details are slightly different in each European country) I'm familiar with concerns storing and processing identifying information. For various reasons, everybody focused exclusively on HTTP cookies, but tracking using, say, ETAGs would fall under the same requirement of notifying the users as far as I know.
I think the fact that they're actually making it harder with each new UI revision - and trying to make it go away in some sense - is a sign that their interests are not aligned with those of their users' desire for privacy. It's not so surprising, really, as their revenue largely comes from an ad-supported search engine, and so they would not want to be defeating ad-networks' tracking by making cookie management/blocking easier...
As much as I hate the idea of protecting people from themselves, there's some merit to this.
https://addons.mozilla.org/en-us/firefox/addon/ghostery/
It's completely unenforceable.
weird, I don't have that problem? (Firefox 38 Linux)
If there was a law passed that users had to agree to being tracked (be that via tracking cookies, or any other medium), or that users had to agree to having persistent sessions (eg entries on a session table), then that might have actually made some impact. Though I'm sure even then, there's easy workarounds (eg web server logs).
However they made the law too broad and had it cover on site cookies too, which get used for the typical session information that powers features that every consumer expects these days (recently viewed, shopping baskets, etc.). So the companies got caught in the general stupidity.
I agree, but cookies aren't the only method of being tracked. So we're back to my original point that legislating against cookies specifically isn't the right way to go about addressing privacy concerns. Hense why I said they should be targeting the tracking data that is stored remotely, as that will cover a multitude of sins.
Rather than mandate every server behave nicely (an enforceability nightmare), why not mandate every client protect users' privacy with deeper cookie control? Sort of like the one time preference request option when installing something from an app store:
"This site tried to set a cookie to <adtracker.site-you-are-not-on.com>; do you accept (y/n)? (more info link) --> Cookies can be used to track you across websites; some people feel this is an invasion of their privacy."
You could even mandate browsers allow for whitelisting and blacklisting. For the people who care, it'd break the back of the tracking industry within one generation of browser evolution.
The problem is that:
1) every site writes cookies and some cookies are needed for sites to behave properly (eg it would be impossible to use online shopping without cookies). So the amount of "do you accept" messages you'd see would be insane. It would get to the point that users would just give up and accept everything (pretty much like we do now, in fact).
As a fun experiment, lynx (the terminal based web browser) asks you to accept cookies by default. So try browsing around the web with that. You'd see how very quickly it becomes the most annoying thing ever!
2) what happens when your tracking cookie comes from the same domain as site which you might want cookies stored from? You either have to accept being tracked or break that site.
3) lastly, there are methods of being tracked without the use of cookies. Cookies are by far the easiest and thus most common. But it's possible to work around disabled cookies.
But I agree with you that this is some misguided legislation for many reasons.
I do agree that ideally we don't want these cookies either, but those cookies would be useless without any data against anyway.
Thats not even a noble goal to pursue. Companies should be fined for invading privacy/tracking habits. Simple.
[1] https://github.com/r4vi/block-the-eu-cookie-shit-list
https://chrome.google.com/webstore/detail/i-dont-care-about-...
It's $FREE too.
Who would have thought that the browser has access to what you type into it???? Surely keyboards should come with massive warning stickers to highlight the danger.
It is unlikely, however, since it is a EU directive and is now law in most European countries. Here's my take on why it is totally idiotic and ignorant of the underlying problem: http://cfenollosa.com/blog/the-ignorant-eu-cookie-law.html
We can keep a list of [ webistes -> $('#TheCookieDiv').click ] - commands which we keep on github and shake like homebrew does (`cookieThing update` could be run daily)
Companies would like this too because they then could keep doing exactly what they are doing (to be complaint), but perhaps we could convince them to add a file to their websites specifically for our tool to look up the DIV. Something like www.site.com/cookieAcceptDiv.txt which would list the clickable region to suppress the pop-up
https://chrome.google.com/webstore/detail/peeshkot/idfkeeahc...
I don't recommend using it though. Last time I looked at it it used a very broad heuristic to find the cookie consent buttons. I wouldn't trust it not to click something more important by mistake.
But hey, rather than scaling back HTML 5 includes a client side database! WTF?
Cookies should have been at most a GUID for a single session on a single server.
With a little dynamic content you can put a session GUID in every link on a site and not have anything stored locally on the users machine. Back in the day this was a more significant problem than it would be today. Note that this would also preserve the user ID in bookmarks. Also, it really begs for HTTPS.
There are probably other ways to do these things, but people will either claim they are inefficient or just keep their blinders on and make excuses in favor of the status quo. Of course many of the alternatives could probably be abused as well, it's just harder.
"However, some cookies are exempt from this requirement. Consent is not required if the cookie is: used for the sole purpose of carrying out the transmission of a communication, and strictly necessary in order for the provider of an information society service explicitly required by the user to provide that service." Source: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#se...
So it turns out the directive isn't as dumb as many believe it to be, but a lot of webmasters wrongly believe that any cookie usage implies having to put up the notice. (Or the nuance was lost on the in-house legal team who briefed the webmaster.)
I run a software-as-a-service company in the EU, but only use cookies for login management. Therefore, I do not need to use the warning. But if I would track my users for advertising etc. I'd have to insert the warning in my web app.
This thoughtless behaviour reminds me of the thousands of websites which include a "(c) YYYY" copyright notice in their footers, despite this being completely irrelevant in modern copyright law.
I'll bite :-) Are you automatically covered then? - companies like Apple still do it .... 'Copyright © 2015 Apple Inc. All rights reserved.'
So for some it might have a use, but it seems to me that thousands of webmasters (including myself) have been copying this pre-1989 US-only best-practice, just because it is nice to have something to put it the footer :-)
> Use of the notice may be important because it informs the public that the work is protected by copyright, identifies the copyright owner, and shows the year of first publication. Furthermore, in the event that a work is infringed, if a proper notice of copyright appears on the published copy or copies to which a defendant in a copyright infringement suit had access, then no weight shall be given to such a defendant’s interposi tion of a defense based on innocent infringement in mitigation of actual or statutory damages, except as provided in section 504(c)(2) of the copyright law. Innocent infringement occurs when the infringer did not realize that the work was protected.
(http://copyright.gov/circs/circ01.pdf)
> A website — graphics, content, visual elements — is copyrighted at the time of development. So putting the copyright notice on the bottom of a site states that the material displayed is not to be used without permission of the owner. In fact, you don’t even need the notice to claim copyright; the law eliminated the requirement of public notice in 1989.
Source: http://www.sitepoint.com/what-it-means-to-copyright-a-websit...
"The enjoyment and the exercise of these rights shall not be subject to any formality"
[0] https://en.wikisource.org/wiki/Convention_for_the_Protection...
© <?php echo strftime('%Y'); ?>
;-)
As a EU citizen, I think this example shows how stupid laws can come out of good intentions. Why stupid? Because, no matter what the intentions were, the only practical effect is creating a nuisance for web users, who quickly learn to ignore the consent requests.
A more useful directive would have been some sort of legally-backed "coloured cookie" type system, where a cookie has to declare for what purpose (session, internal analytics, adverts, site-to-site tracking, etc.) it's for, so browsers can then selectively block those categories. That would be useful, because then you could punish people who lie about the purpose of their cookie.
Do we also need servers to inform us in large letters that they're making a note of our IP address and adding it to their logs? That they're using our referral info and browser details (I'm using Chromium on a Mac!)? That they'll use those details for analysis? Weirdly people have switched to Google analytics instead of just looking at the server logs (like awstats from yesteryear). Do we need messages telling us that the ISP is throttling us or logging too? That I'm using PPP or something?
It's all daft. Hopefully this madness doesn't make it into mobile telephone calls - "your location can be triangulated from our phone towers"; "you're using GSM which has weak encryption and can be eavesdropped" etc. etc.
We should have the option of authorising all the GET requests it makes too I feel! That'd keep websites from loading too much (and suffering website bloat, as the average website data size has been climbing massively due to all that JavaScript)
If a lawyer somewhere figures out how to parlay this into a class-action/privacy issue (maybe Europe?) they are going to be filthy rich since this is so widespread. Even government websites use GA and fail to disclose it as required.
Good. That's the entire point. The law is there to notify users when their web usage is being tracked, and that's precisely what Google Analytics is for.
(assuming I'd only see the notice once if I'd keep my cookies, not actually sure if that would be the case, nor do I care to find out ...)
I think directive is exactly as dumb as the effect it causes. Regardless of lawmakers intentions or even the letter of the law.
But that person hangs around with EU parlamentarians.
I was pleasantly surprised that the legislators were aware of the necessity of cookies for login management. At least it allows me to keep my web app clean of this pollution...
I'm not saying I necessarily disagree with the idea behind the law, rather that almost everybody uses cookies and making everybody announce that doesn't mean we're suddenly all informed.
An implicit /cookies/ or /cookies.html or even a domain-level TXT record would be just as informative, without clobbering user experience with a message that everybody is now blind to.
As others have said, copyright notices are as much about preventing infringement as they are anything else. Consider them similar to a "Thieves will be prosecuted" signs in shops.
source: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...
(For the record: I would prefer a technological, rather than legislative solution here.)
At least in Germany, sending such cease&desists is a lucrative business for many lawyers and organizations.
https://www.youtube.com/watch?v=6x0cAzQ7PVs&t=6m45s (6:45–8:27)
TL;DW: "It's actually not there for legal reasons, [...] it's there as punctuation."
(No longer necessary for them, still a nice anecdote.)
Some sites now offer me the choice of cookies, the choice to participate in a quick survey, a choice to use the iOS app, another iOS app choice that is identical to the first, the choice to instantly connect to a live customer service representative and no choice about watching a partner video. Might as well bring back all the animated GIFs and marquee text.
http://i.imgur.com/9qvdOfW.png
(Opera, before it turned into yet-another-webkit-browser - and removed that very useful feature.)
Since I have JS (and cookies) off by default I don't get the cookie messages much if at all, but for sites which need JS or cookies, it's almost trivial to enable them immediately.
IMO, the web has gotten considerably worse in the last few years.
AFAIK Firefox also has site specific settings hidden somewhere but I am not sure.
RIP Opera 12... I wish they'd just freely release the sources.
http://www-archive.mozilla.org/projects/security/components/...
...and there was even a bug to create a nice UI for it...
https://bugzilla.mozilla.org/show_bug.cgi?id=38966
...but look at the last comment on that bug. :(
Interestingly enough, IE11 still contains much the same UI for white/black/default-listing sites in different zones with configurable options that has been there since at least IE4:
https://support.microsoft.com/en-us/kb/174360
What can be done about that? Its not unreasonable for vendors to keep and share information. Its not practical to have personal control over what they're doing up there in the cloud.
The language in the ePrivacy Directive always talks about tracking terminals (devices.) It's not just about cookies, or browsers. You need the user's consent to track their device, period. (However you don't need consent for e.g. basic cookies that are necessary for a site to function, and which aren't used for tracking.)