Ask HN: Why have we accepted the cookie pop-up situation across the web?
source link: https://news.ycombinator.com/item?id=29529062
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Ask HN: Why have we accepted the cookie pop-up situation across the web?
Ask HN: Why have we accepted the cookie pop-up situation across the web? 443 points by LightG 3 days ago | hide | past | favorite | 332 comments You know what I'm talking about. Even at their best, the pop-ups for every single website to accept or choose cookies is ridicuous.
Can you imagine how much time in total we all lose to this?
And yet, these "solutions" to the data privacy questions have become widespread.
It's bad enough at normal times, let alone those who double triple quadruple bluff you into choosing the wrong setting.
This is a tech board.
Why have we all accepted this ridiculous situation?
Isn't there a better solution?
You don't need a cookie banner to be allowed to create Cookies. You only need them if you're using them for something like tracking.
A session cookie, selected theme etc is all fine without that banner
Agreed. I can't think of a more widespread and effective campaign by an entire industry to gaslight their customers into hating a regulation more than the invasive practice that is being regulated.
Giving someone with a website an image that they put up there is simple and requires zero cookies. If your goal is to have people see that banner this is literally all you need to do.
But of course advertisers want targeted ads, they want to get metrics (they don't care how truthful those metrics are, but who cares right?).
I for one need this data on a daily basis to help me decide how to make products better. I think the legislation doesn't do it's job properly. Why not force it so that like apple, the browser informs the websites that they don't want to be tracked, then it is the websites issue if they are caught tracking. Or all browsers forcibly obscure a users PII.
Analytics companies that try to sell their analytics will of course tell you that you need analytics, but I just don't think it's true.
The only analytics I need are sales numbers. When they go up, I know I'm on the right track :)
The way I learn about my customers is that I put my email address on every page of my website. And then I read emails that folks send me, and this way I learn way more about my customers than any analytics could tell me, all without invading someones privacy.
(There is one exception: My apps do send crash reports, but they only send stack traces, no user data, and I don't log any identifiable info like IP addresses.)
The ad industry believes targeted ads are cheaper and more effective in aggregate than un-targeted ads.
Also if the website is selling PII to “partners” as another revenue stream the the website cares.
When publications online went from trying to build an audience to trying to drive traffic we ended up with the situation we have now. They don’t have audiences anymore, they have atomized bits of content without much in the way of editorial voice or culture to tie it together. They care not one whit about making their site a destination, just trying to chum the waters for whatever will bring in a catch of fresh eyeballs.
People wanting free shit is a constant. The problem is how we channel that desire, which is very much in our control.
You _absolutely_ can have free stuff. I remember the web when it was run by hobbyists, and that's exactly how it worked. What people who use the "no free stuff" argument really mean is that there are those who are on the web to make money, and you can't have their stuff for free.
To that I'd say; take your stuff and go home. Your stuff is exactly what ruined the web in the first place.
> Nowadays internet is too populous and expectations are set too high for this to keep working.
I agree with you on both counts, and would like to see a return to a niche web that doesn't work for most people.
EDIT:
P.S. I realise how unlikely that is, so it's not something I'd waste energy on. What I do think is worth thinking about though, is how impossible certain companies are making it for the niche web of the early days to even exist in its own little corner.
That would be a web without Google, and in fact any search engine at all. Do you really want to go back to 1990 level of functionality?
What I'm objecting to is it not being possible for even the old farts like me who want it. Google and co.'s contributions to things like e-mail and websites have made it more and more unfeasible to self-host and manage these services. It's a bit like how you're _technically_ free to farm your own food, only not really because you can't comply with the regulations surrounding growing crops (no I'm not kidding, Google and gasp).
So people pay with their privacy, some because they are tricked into it, some because they don't care.
Point is that invaison of privacy is bad and you should not have even an option to trade it for "free shit".
Postulate 1: This website is free.
Postulate 2: This website does not use tracking cookies.
Theorem 1: Tracking cookies are not required for free websites to exist.
Postulate 3: This website is an ad.
Theorem 2: Ads do not require tracking cookies.
Note that my original comment asserted Theorem 1 only.
Gotta love American's way of doing business
In other words, for all these news sites doing it, "just stop".
2. In the event (1) is too much to ask, all website importing our privacy setting from a unified service where we can do our privacy customisation once and for all.
Instead, have a simple modal with confirm and cancel in the proper locations, and just use checkboxes. Have every one deselected to start with as if someone is viewing that modal they’re likely about to disable all of them.
That is a common misunderstanding of the ePrivacy Directive [1][2]. It applies to all cookies (and "similar devices") that are not "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user". And "strictly necessary" is quite a high bar.
(not a lawyer)
[1] https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... See especially (25).
Generally, it matches my expectations. Shopping carts, sessions, and even most user preferences are fine and don’t need a banner. Worst case a small “uses cookies” text next to a language change button is enough.
"A cookie that is exempted from consent should have a lifespan that is in direct relation to the purpose it is used for, and must be set to expire once it is not needed, taking into account the reasonable expectations of the average user or subscriber. This suggests that cookies that match CRITERION A and B will likely be cookies that are set to expire when the browser session ends or even earlier. However, this is not always the case. For example, in the shopping basket scenario presented in the following section, a merchant could set the cookie either to persist past the end of the browser session or for a couple of hours in the future to take into account the fact that the user may accidentally close his browser and could have a reasonable expectation to recover the contents of his shopping basket when he returns to the merchant’s website in the following minutes."
I was using the website for a Dutch big box hardware store (Gamma) today, and it had a door stopper I was looking to purchase half a year ago in my shopping cart. I never finished that transaction. That kind of retention is just pointless.
A session based cookie can then be used to store your identity in a short term session, and the server can easily gather long-term storage on its own.
I think it’s a fair compromise to say “if you want to save this cart, please log in”, which satisfies opt-in data tracking in a user friendly way. You aren’t mandating a user account, but if you opt in you get something potentially useful.
My principle complaint about most of the discourse on this topic is that it is superficial. There are reasonable workarounds for most user-friendly tracking that allow for tacit opt-in via responsible and clear UX. The “hard parts” seem to generally concern the type of tracking that isn’t so clearly user-friendly, such as behavior tracking and PII collection, which is a conversation we should be having anyways without obfuscating the issue by pretending it’s about the easy stuff.
For example, remembering things like Dark Mode, pop-up re-sizing, slider locations (volume for example) are all legitimate use cases that I would prefer as a user to be isolated per client.
Since the site does not know you are leaving, it doesn't have any opportunity to prompt you and ask whether you would like to save your cart (and if it did I would find it pretty annoying)
I do. I use the shopping cart as a staging area sometimes when deciding what to buy. In fact, I don't really see a good reason for a shopping cart ever lose items I put in it until I explicitly remove them or they stop being available, since the whole point of a cart is to express intent to buy.
At the very least if a site doesn’t offer Wishlist, shipping list or other bookmarking facilities I would expect the shipping cart to give me a cookie that lasts at least three days to cover the weekend or the option to create an account to save that shopping list/cart to come back to later.
On the other hand, there are many things that sites do that are not fully explicit. For example, shopping sites often show you items you have recently viewed to facilitate comparisons, or a news site showing ads might want to make sure they don't show you the same one over and over. That doesn't sound to me like it is strictly necessary for the functioning of the site?
[1] "users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using"
However, I don’t think the regulations have an explicit safe harbor along the lines of “You’re fine as long as the math checks out”. Perhaps if it did, we wouldn’t be in such a mess.
(A passive observer that sees a JSON POST wouldn’t know that you’re using differential privacy. It would look like typical telemetry. They’d have to read your code or look at multiple samples and notice that the data looks random)
Per default you could not gather statistics but ask inside you app if people are willing to participate in making the app better and if they would agree to accept some cookies for this reason.
Maybe the key is to have stats that are purely anonymous, eg, how many people visited this page.
(still not a lawyer)
The latter is easily gathered from web server logs, the former sounds like a case of "I want to do this bad thing (spying on users) for good reasons", and the law only cares that it's a bad thing, not about your reasons (or arguably it does care slightly about your reasons, but not in enough detail to accommodate your use case). Laws being rather blunt tools and reasons being rather hard to divine.
You can get a bit of that via referrers, but not as much as you would like.
For your specific question, I think the Planet49 ruling gets pretty close. "It does not matter whether the cookies constitute personal data or not - Article 5(3) of the e-Privacy Directive (i.e. the cookie consent rule) applies to any information installed or accessed from an individual's device." [1]
(still not a lawyer)
[1] https://www.twobirds.com/en/news/articles/2019/global/planet...
> strictly necessary in order to provide an information society service explicitly requested by the subscriber or user".
Sounds to me then that login/customizations are allowed
> Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user. [1]
> Receive users’ consent before you use any cookies except strictly necessary cookies. [1]
Path of least resistance wins.
That's a pretty bold claim, even steel-manning it. I personally only ever see it on sketchy sites. If you're right, then it would just take a campaign of education to halve the annoyingness rate of the internet.
I looked just now on StackOverflow in incognito and saw no obnoxious pop-up.
Agreed. The practice is widespread among sites regularly linked on HN.
Just checked again (not even incognito) and it's there.
Your privacy
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.
Accept all cookies
Customize settings
I've read this entire thread and I still don't know when I would need to prompt for cookies, or even if I need to prompt if I store everything serverside and id the visitors with a session token in URLs.
There is no easy-to-understand definitive answer for the common use cases.
Well that's the problem, right there! You're reading random HN threads to get this information. Why not go to the source?
https://ec.europa.eu/info/law/law-topic/data-protection_en
The law itself is fairly easy to read and understand if you're a software developer.
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
Here is what looks to be pretty respectable commentary on when it triggers. Essentially, if you collect any sort of personal data whatsoever: https://gdpr-info.eu/issues/personal-data/
If you store information that can identify the user, e.g. if you collate a user's IP address, you are almost certainly collecting personal data.
Don't, if you can help it. If you must, that same site has some general guidance on how to collect consent: https://gdpr-info.eu/issues/consent/
Read there more info on how to comply with the data collection. Essentially, if it is personal data, you must give the person informed control over their data, including the ability to withdraw consent at any time, in which case you must delete it.
$ wc cookie-regs
4198 54871 354380 cookie-regs
Or just put up the cookie notice and not worry.
Anyway, if you feel the need to implement a cookie pop-up to feel safe, I get it.
The GDPR is really meant to protect users' rights to control their own data. If you implement that single principle in good faith, there won't be any gotcha moments where the EU cyber police fines you over some obscure clause in 50 thousand words of legalese.
It's really the people who ignore or circumvent that principle who will be crushed.
In my opinion, you will be serving your clients better if you take the time to understand the GDPR rather than annoying your client's users by cargo-culting UX from companies that are skirting or ignoring the law.
If you do want to cargo-cult anyway, you could do worse than to crib from the EU website itself. Just saying.
https://ec.europa.eu/info/law/law-topic/data-protection/data...
For what it's worth, I completely agree with the spirit of the GDPR and don't really have an issue with the implementation - it's far better than not having it.
Do you have examples of this? I mean the different interpretations meaning that one country could sue you for an implementation that was deemed fine in another one.
Ok, but EU legal systems (after Brexit) I think are all Napoleonic systems and not common law, furthermore as the 'cookie law' is a directive and not an actual law and is thus supposed to be imposed the same way across all EU lands I don't think this could be as exploitable as it might otherwise be.
> ...Napoleonic systems and not common law, furthermore as the
> the 'cookie law' is a directive and not an actual law...
Of course, I could go get an education in law. Or I could implement the cookie popup.
<https://upload.wikimedia.org/wikipedia/commons/9/92/Map_of_t...>
You don't appear to have the aptitude to educate yourself when you notice that something confuses you or you are ignorant about a topic, c.f. post id=29529880.
I do not live in the EU. I did not learn what civil law nor common law is, neither did I learn the difference between regulation, directive and national law. Out of interest, I work with people who grew up in France, Russia, the United States, and Argentina in addition to locals. I'll ask them if these terms are familiar to them.
Perhaps in fact I don't have the aptitude. Or more likely, I see the tradeoff between "understanding every nuance of a 50,000 word document in a field I'm unfamiliar with that carries severe penalties for my client" vs. "implement cookie warning" differently than you do.
But even so as it's a directive I don't think it is open to interpretation the way a law might be.
I get what you mean but technically its not compliance, as the law requires a simple yes no option. Definitively malicious though.
The issue with Matomo is that even though nicer than Google Analytics it is optional for the working of the website, so it should only activate if the user consents.
There is some serious cargo culting regarding these kind of laws going on. I remember back in the day that you would add "I don't take responsibility for the external links" kind of disclaimers on every website. Or everyone thinking they need a Impressum (legal info/contact info) page on their website because it is required by law. (No only for commercial sites, which is reasonable.)
I just listed it as an example where people don't understand the nuance around an issue. "You better provide some Imprint if you are in doubt" becomes "You are required by law to always have an Imprint"
It is. There is no other law about cookies.
This shall not prevent any technical storage or access for the sole purpose
of carrying out the transmission of a communication over an electronic
communications network, or as strictly necessary in order for the provider
of an information society service explicitly requested by the subscriber or
user to provide the service.
https://curia.europa.eu/juris/document/document.jsf?docid=21...
Part of this case at the german 'Bundesgerichtshof'.
https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilung...
> Die Einwilligung nach Absatz 1 ist nicht erforderlich, wenn der alleinige Zweck [der Speicherung oder des Zugriffs] die Durchführung der Übertragung einer Nachricht über ein öffentliches Telekommunikationsnetz ist oder wenn [sie] unbedingt erforderlich ist, damit der Anbieter eines Telemediendienstes einen vom Nutzer ausdrücklich gewünschten Telemediendienst zur Verfügung stellen kann.
Citation needed.
What about In Browser databases? Or Javascript?
It's much more than just cookies that are stored on computers.
"The storage of information in the end-user's terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679."
If it is absolutely necessary for the requested functionality then it is allowed. Therefore it doesn't really change anything.
The language of the new law in Germany is virtually identical to the language of the EU directive. So why would it be different in Germany versus other countries in the EU that also have to implement the directive?
Privacy law in Germany is usually stricter than in other EU country's even if the text is identical.
And the main argument of this thread initially was that you don't need to ask if you are only using cookies for such use cases.
This Podcast explains the topic much better than I could:
Rechtsbelehrung - Recht, Technik & Gesellschaft: TTDSG – Cookies unter Aufsicht – Rechtsbelehrung 102 https://rechtsbelehrung.com/102-ttdsg-cookies/
> It’s possible to disable tracking cookies in Matomo by adding a line on the javascript code. When cookies are disabled, Matomo data will become slightly less accurate
So it seems there's no "functional cookies" in Matomo, and so all cookies from Matomo without consent popup is not in compliance. You can disable all Matomo cookies and allow for compliance:
> By disabling tracking cookies, you may also use Matomo without needing to display a cookie consent screen.
That's not functional though, is it?
I understand entirely the desire to use such a thing, to understand how your site is being used, but it's not functional in a "delivering service to the end user" way.
(Personally I like the way it sounds, analytics without signing over the world to Google, but it's still not functional)
So technically necessary cookies still don't need consent.
I don't think it's as simple as that.
Selling Windows by default with every computer is now illegal in Germany then?
No one gets tricked into approval (here: buying) because every customer is able to request a different or no OS, or to reject an immutable sale offer; except if you think that not knowing what an operating system is and what it implies constitutes a trick, but that does not meet the legal definition.
Also lawyers are expensive and many of them will just tell you to add a cookie banner to your site. They're also lazy and just trying to cover their asses too.
And so it marches on - most legislation ends up making things worse instead of better, and there is no accountability because we blame the wrong people for it.
Imagine if instead of the obnoxious cookie banner, browsers ship with a default “don’t accept cookies” or “don’t accept 3rd party cookies” setting. When a website needs to establish a session, the browser would prompt the user, “this website uses cookies to track…”
If the user gets annoyed with that setting, they could change the default to let any website use cookies.
It’s really obnoxious how this issues was pushed into website operators and not browsers.
My favorite example are sites which require you to opt out of hundreds of third party processors individually (advertising partners who may receive data). That's as dark a pattern as it gets.
It's also in clear violation of how opt-out is actually supposed to work, at least in the EU.
And with the Do Not Track header, I shouldn't even have to opt out in the first place. A GDPR decision to that effect could solve this banner madness once and for all.
The whole "users didn't opt in" thing was a false narrative manufactured by the ad industry. You don't need to ask a customer to disable bad behaviors without asking.
"Let's ask these bad actors to play nice, I'm sure they'll respect that, I mean, they probably think we all want to be tracked so let's just tell them we don't and it'll all be fixed. And make sure the option isn't obvious enough that normal people start to use it and ruin the whole thing".
Enforced DNT is part of the ePrivacy Regulation, which was supposed to launch alongside GDPR, but got delayed. Expect it to arrive somewhat soon.
https://digital-strategy.ec.europa.eu/en/policies/eprivacy-r...
At the very least, I've stopped setting it since no website respects it.
You're right, but I'd like to mention that, in pretty much every jurisdiction with laws like this, you cannot set or retrieve information from a user's computer without getting their consent first. Which means that accessing cookies on page load, then showing a consent banner, is no more protection then just not having a consent banner. I would always tell clients this, and even send them the relevant wording, but I don't believe it ever made the tiniest bit of difference because, as you say, they just want to keep tracking users.
Clicking "I accept" means you can't sue a website if they have your data.
I'm not sure but I don't see why those websites would annoy users.
You don't need a "banner." The requirement, as I understand it, is to be conspicuous. Conspicuous just means visible, easy to notice. Contrary to the industry's apparent position, conspicuous and obnoxious are not synonyms.
Trying to regulate the option for cookie preferences at the individual site level was always a stupid idea. The average person visits thousands of websites every year. Of course nobody is going to take the time to do that.
If the lawmakers in the EU were intelligent, they would have created a law that forced all web browsers to provide "X" privacy setting features for EU-domiciled users (where X is what they were aiming to achieve).
In addition to not burdening the entire world with time wasting popups all day, this option would have also had the bonus of not burdening millions of small businesses around the globe with complex regulation and legal liability.
Not to mention the total lack of enforceability of the current law when it comes to websites operated outside of the EU.
If done at the browser-level you really only have to police <10 companies.
However it’s not only about cookies: What we abusively call the cookie law and cookie popups are about tracking, and there are many ways to track you without cookies, some of which are not easily blocked by browsers.
Ideally the browsers would indicate the user’s preference via a headers (e.g. the DNT header) and websites would be constrained by law to obey that.
This. I've always had 3rd party cookies disabled at the browser level, and never noticed any website breaking. The "solution" by the EU has been terrible, and everyone just clicks "accept all".
If bureaucrats helping create these laws were less out of touch. I think they are reasonably intelligent, they just don't know anything about technology. The criteria for selecting them is outdated.
I've worked as a consultant for the EU Parliament and they are a lot more knowledgeable than you think and for things they are not, they hire consultants (like me)
There are a number of people directly elected in EU Parliament that have a background in technology, I personally know a couple or computer scientists, with lots of publications in their curricula.
Problem is the law cannot be written the way you are arguing about, that could be in the form of a directive not as a regulation[1], the regulation must be general enough and cannot address issues that have different legal bindings in the 24 EU countries.
[1] A "Regulation" is defined as a binding legislative act. It is immediately applicable in its entirety in all Member States and it overrules national laws. A "Directive" is a legislative act setting objectives that all EU countries must reach and translate into their national legislation within a defined time frame.
When you create legislation, you're implicitly saying; "these rules we're writing down are important enough to enforce with the full monopoly on violence given the powers of government." The cookie popups seem extremely silly in that context.
I don't doubt you've run across some well-intentioned people. But as the saying goes, the road to hell is paved with good intentions.
Seeing a structurally dysfunctional system from the inside, and being able to empathize with the individuals in it, does not make the design of the system any less dysfunctional.
These companies may think they're protesting the cookie law with popups but it's achieved what I expected it to achieve. It's given me fair warning that the site intends to track and monetize me, so I can walk away if I don't think it's worth it. And it adds a higher cost to it too.
Nobody said that, I don't know why you're saying it, because it also makes no sense.
Do you also believe that we shouldn't have made murder illegal because murderer still exist?
There are always gonna be bizzare outcomes, pop-ups only speak about how lousy advertisers and tracking freaks are, but there have been certainly more bizzare outcomes, think about people refusing vaccines...
Compared to that pop-ups are just an annoyance that we can avoid by punishing the perpetrators directly not visiting their websites.
> But as the saying goes, the road to hell is paved with good intentions
it's all simple, until you have to convince hundreds of politicians to agree on a law that's gonna be enforced on 450 million people from 27 different countries, with 27 different legal systems.
One of the problems I have with the pure-local approach is that I want certain cookies (or certain cookie functionality) of sites but not others. Some functionality I want and some I don't want can be implemented with the same cookie.
I think I would need tagged cookies (so I can disallow those that are used for things I don't want) as well as an assurance to not use the other cookies in the "wrong" ways.
That's why I think purely local cookie management is severly lacking and not suitable to tackle the problem in a user-friendly and nuanced manner - beyond an all-or-nothing approach.
I personally do not think a browser level approach can enforce the privacy goals without cooperation of (and therefore enforcement against the companies providing) the serverside implementation.
That, of course, does not mean that a browser level setting that has to be honored by the server side and can be transfered between sites would not be preferable to clicklists and banners.
GDPR is not only about browsers , it applies outside our web dev bubble. Then if the law was is only about cookie some "smart" webdev would use localStorage , if then we add localStorage then some other dev (probably working on Google Chrome) would create something new... so maybe those EU politicians and consultants are a bit smarter then you(no offense, maybe you are a smart person but either you are having the wrong perspective or you did not really thought more then 5 seconds about the problem).
Cookie popups weren’t the result of GDPR.
They were the result of the earlier “ePrivacy” directive from 2002 and revised in 2009.
Many people confuse these two pieces of legislation, but cookie popups were already an endemic problem long before GDPR.
>There already is a better solution and always has been, it's called setting cookie preferences at the browser level and then leaving it.
This is really not a solution, browser already had a black and white option to allow cookies or not, or allow JS or not. The proposed idea is to give only 1 place where you can accept or not accept tracking, then you want to really read a website or your work/bank forces you to read a page and you have no choice then allow cookies for everything and accept all possible tracking because some HN web dev did thinks is mmuch smarter then a group of consultants. lawers and privacy advocates.
If tracking is legal then Allow/Disallow tracking should be per website and always should be 100% transparency on what is tracked and shared with, Tech people could create browser APIs for example, you could have a in browser cookie popup where web devs could populate the text message about "We care about privacy" , an array where web devs can populate with the names, links and terms of use for the 100+ partners. Then all websites will share same native popup, and implement it correctly with no dark patterns, there could be a 3 line extension to click allow or not allow for people that really want to accept or not accept. But this browser APIs won't happen because Google controls the web , Mozilla is on it's last breath and Safari is still screwing around with missing JS and Webgl features and other bullshit.
Edit: Also a simple law as propsed with "make cookies a setting for all websites per browser) is not good since you can use the localstorage,fingerprinting or other tricks to go around the law, so proposed idea is bad.
If you care about that sort of thing, you use those browsers and automatically make all cookie popups irrelevant. After that they simply turn into pure annoyances.
And no regulation was needed at all, since the free market has already satisfied those customer wants and found the optimal solution for all parties.
Legislation should be the absolute last resort to a problem that has proved otherwise unsolvable. This was not one of those problems.
> The average person visits thousands of websites every year.
Is this true? Is there any data that would back this? A commonly used argument comes to my mind, that for most internet users the internet is about a handful sites...
But I agree it shouldn't technically be too hard to standardize the settings so that your browser could communicate to each site what the user consents to. The hard part is enforcing compliance - we already had Do Not Track, which had very little effect.
For me personally, when those data protection laws where implemented, seeing the extent of the market for user tracking was a shock to me. The respect that I lost for actually quite a lot of companies as a consequence has informed some purchasing decisions. And I don’t think anybody would mind those banners if the opt-out option you want to click is reachable with a single, easily visible button.
Edit: Responses suggest that the GDPR already contains something to that effect. Glad to know. If that’s true, then I guess it’s time for court cases to sort this out.
Support noyb if you want to improve the situation: https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-is...
There's a reason why facebook/meta/whatever calls Max Schrems "The Devil" internally, at least the Ireland division.
They do.
GDPR explicitly requires
- that denying is easier than accept
- that all choices are denied by default
- that there has to be a single "no" button, but individual "yes" buttons for every single choice
Just everyone breaks the law.
> - that there has to be a single "no" button, but individual "yes" buttons for every single choice
GDPR requires neither of those explicitly, this is just the interpretation by most regional Data Protection Commissioners.
> but individual "yes" buttons for every single choice
This is misleading at best - there can be an "Accept All" Button.
They should just make the tracking forbidden in general.
Click yes or no? I don't want to waste a click more than once to say no everywhere. The pain and fallout of these rules and regulations is squarely on Schrems and others who have "pioneered" these awful laws.
I should note that i'm also not a professional hacker. Programming/sysadmin is more of a passion than a trade to me, and i'm just a lowly amateur unworthy of much praise.
But to be fair, there's amazing non-profits and worker cooperatives building cool software (Framasoft comes to mind). If only more fellow hackers stopped working for evil bosses and started to work for public interest...
Some projects are driven by direct donations, some others via grants (all NLNet-supported projects) and business partnerships (Blender foundation), some provide paid services to fund R&D (SourceHut).
Overall, it's technically possible to derive a decent income from such schemes, but that's not exactly widespread. Many dedicated hackers will work for minimum wage or less, but some will arrange either:
- to reduce their expenses, by moving to cheaper places [2] or living in shared flats or communities; if you're organized as a collective even food and furniture can have close-to-zero cost [3]
- or to have a high-wage part-time job on the side, or support contracts to pay the bills; if you get half-time to work on your pet projects, that's already quite an achievement
Overall, building a cooperative economy asks the question of where does the money go? The more autonomy we can achieve, and the more money we can "recycle" into other cooperatives, the less of our resources leak into the pockets of the 1%.
So yes, if you make a really cool project people appreciate and/or can depend on for their business, you can sure make a living out of it: just be sure to use copyleft licenses (eg. aGPLv3) so you're not scammed out of your work by big businesses. But personally, i'm more interested in non-profits driving R&D with a vision (like Framasoft does with the Degooglize Internet campaign and eg. Peertube/Mobilizon project).
[1] for example libreho.st, chatons.org (french-speaking) for hosting coops
[2] for example in France, if you don't insist on living in the big cities, you can find places to rent for close to free once you subtract housing support from the rent ; i guess the same is true in many places
[3] skipping unsold food from (super)markets or growing food in the backyard; we could also mention utility hacking for free electricity/water but i can't say most devs i know do that
I'm genuinely curious what mechanism you would like society to function under? Like why would people...do stuff if not for value in exchange?
Honestly the only thing I came up with is basically if you forcibly modified humans in one generation, making people want to help each other for no benefit to themselves. Then, abolish the government I'm the next generation so this group of modified-humans runs with no profit motive or government. So it's like super dark and authoritarian, but only for a little bit?
Anyway, this was a fun thought exercise for me so thanks!
People do stuff because they're curious or bored. Because they want to help and feel useful. Sure if you've worked all your life, you may spend a few months just doing nothing and just reconnecting with your inner feelings and environment. But after a while i can assure you you won't be able to stand lying around: pathological laziness is very rare. [0] Many people without employment suffer from not having a sense of purpose.
But what about the tasks nobody wants to do, like collecting garbage? Why can't we distribute those tasks? Why would a certain caste of people have to do the unpleasant tasks for others? If some task is a burden to the community, it's only fair the unpleasantness is distributed somewhat-equally. If i lived in a big city, i personally wouldn't mind collecting garbage once or twice a year, and the value i would derive from that would be that all garbage including mine is duly collected. [1]
Likewise, why would i help another person with some task i'm competent with? It can come out of simple empathy, but there's another way to look at it. The capitalist system treats exchanges as a zero-sum game where if i don't get my share at every step of the way i'm getting screwed because someone else will have it. A Commune without private property [2] treats exchanges as some form of creative process: the more we share, the more we have, and the more we can share... the better off everyone is in the end.
> Honestly the only thing I came up with is basically if you forcibly modified humans in one generation, making people want to help each other for no benefit to themselves.
Haha, that sounds like a pretty cool scenario for a movie in which you're not sure if it's a utopia or dystopia. Can't wait for the trailer to come out ;)
> Anyway, this was a fun thought exercise for me so thanks!
Cool! It can be more than a thought experiment, though. No person (myself included) is going to come up with the solutions to all our problems. The point of anarchism is that distributing power (so that everyone has a voice) is a prerequisite for finding the better outcomes for everyone. This can be practiced in every field of life on a daily basis.
If you enjoyed the thought experiment, i can only recommend to read some more anarchist literature: i've personally profoundly enjoyed Emma Goldman's autobiography, among others. Submedia's Trouble [3], in video form, documents various questions/practices related to anarchism.
[0] I hear Devon Price has some good works lately on that topic, but i haven't given it a read yet.
[1] Of course in a better world, we wouldn't have a garbage-oriented society. Capitalism produces waste on so many levels it's hard to imagine a less-efficient system. I take this example because that's something all people who live in cities can relate to.
[2] Private property does not designate personal belongings. Of course in a free Commune everyone still has personal stuff. Property is the authority derived from a piece of paper over resources you have no use of.
"Property is theft" is a famous quote by Proudhon [0], who was the first person to coin the term "anarchist" to describe a desire for Freedom & Equality as complementary goals which should never be opposed. By this, he means that profit is always derived from someone else's exploitation downstream: for example, as computer people, even by working "ethical" jobs, we still widely profit from the exploitation of miners and factory workers in the Global South who produce our devices, and from the pollution and climate change (that also mostly affects the Global South) derived from that. It's also worth noting, as we've seen at the height of the COVID lockdowns, that the people the most essential to society (food/health, logistics, maintenance/construction workers) are also those who get the smallest share of the pie.
Private property is the State religion that makes it possible to have homeless people yet millions of empty dwellings, and that core tenet of capitalism is enforced by the Nation State and its police/military forces [1]. This, despite the fact that many jurisdiction (including the law in France since the liberation in 1945) explicitly allows authorities to requisition empty dwellings to prevent civil disorder ("trouble à l'ordre public"). Capitalism relies on early indoctrination (via childhood education) and a great amount of physical force/threats in order to perpetuate itself. Why do we have to pay to live? Because if you don't pay rent, some psychopaths with guns are gonna knock down your door and kick you out.
Would there be equality without a centralized government? Sure, some influential person could employ a militia (as already happens despite our having a central police [2]), but:
- the scale of that would be fairly limited to crush popular unrest, compared to a Nation State's forces
- without a central State to indoctrinate since childhood (preparing us for competition in a cruel world) and ensure millions of people live in misery (and have to take the job) it would be harder to mount such schemes
- the incentives would be more balanced: if we can live decently and quietly (as most people desire), what interest would i have to attack someone else's community for a corrupt overlord?
- power would be more balanced: in many parts of the world (including France), the State has a legal monopoly on justified violence which makes community vulnerable by not having a right to arm and defend themselves
Both outcomes are possible if we abolish the State from one day to the next (anarcho-capitalism and anarcho-communism). However, given the history of capitalism and the sheer amount of national force it took to set that up (eg. armies colonizing foreign countries, public schools to teach the young to fuck other people before they fuck you and that "copying is cheating"), i would argue that tearing down such centralized structures may bring us closer to our tendencies for empathy and mutual aid which are common throughout animal societies. [3]
Overall, anarchism is focused on distribution of power, responsibilities, and resources: in society at large, in the family, in the workplace, in interpersonal relationships... It's not focused on "rights" as a legal construct but on the practical power you can yield as an individual. Sure, in a capitalist society we are all "free" to own a castle just like we are all "free" to get decent healthcare: but if we aren't given the practical means to achieve this "right", it's entirely meaningless.
Or, as Bakunin put it: "liberty without socialism is privilege, injustice; socialism without liberty is slavery and brutality.”
To finally answer your question, i'm not morally opposed to making a profit in this profit-driven society in order to survive. I'm also not morally opposed to cooperatives making a profit in order to build a parallel economy. What matters to me is the next step: how to build a society based on needs and desires, not profit. Or, as the old anarchist saying goes: "To each according to their needs, from each according to their capacity".
On a high-level, you need money because everybody else needs money: the carpenter needs to pay the peasant, who needs to pay the plumber, who needs to pay the baker... Workers cooperatives, when they have a sense of revolutionary purpose [4], can be a trojan horse that extracts money form our overlords in order to build material autonomy that can lead to the irrelevance of profit. Money is an abstract layer of indirection, and at each step leaks into the pockets of the owners.
Having lived for quite a while in communities where money is irrelevant [5], I personally feel that in order to achieve our goals, it's much more efficient to base the discussion on actual needs and how to build concrete autonomy [6] rather than center the talk about monetary goals in which we can loose sight of what we were trying to accomplish in the first place.
I hope to have answered your question.
[0] If you're interested in cooperative economy and don't read what he has to say about women and the jews, his writings are sound. Fortunately the more recent anarchist movement (since the last quarter of the 19th century) has evolved to be fundamentally incompatible with misogyny and racist sentiment and to be on the frontlines against such power structures (see for example the rise of anarcha-feminism since the 1930s).
[1] The military is not just a construct against foreign invasion, as seen throughout the history of the workers emancipation movement and the many times armies have been called to bloodily suppress strikes and other forms of popular uprising. Although since the second half of the 20th century, modern Nation States have developed "counter-insurgency" techniques in which the military becomes a last resort, and focus is placed on both propaganda and cooptation on one hand, and more vicious political repression on the other hand (targeted assassinations, legal proceedings, mutilation by police forces, etc).
[2] In the squatting scene, that's not unheard of. Bigger landlords often have ties to different strains of mafia. In other spheres of life, you could probably read about Pinkerton (the history as well as modern occurrences such as Amazon's anti-union campaign), about the Coca-Cola murders in South America, or about companies such as Ikea mounting their own intelligence agency.
[3] See also the recent HN threads about Kropotkin and his studies on mutual aid.
[4] Unlike recent straits of workers coops who have been coopted by capitalism (so-called social economy) which is only concerned about working conditions and not about broader social questions.
[5] We do use money to interface with some segments of society, but in a squat/Commune you can as an individual live without money if you don't have any, and still find purpose and access to resources. Also worth noting, some interactions with neighboring structures is not necessarily based on money: it's not uncommon for a local market/bakery to give away "dying" foods, for neighbors to help out one another on construction work, etc.
[6] Autonomy is not independence. Noone is truly independent, and autonomy accepts and accounts for inter-dependence relationships.
My personal website has no tracking at all.
Cookie banners are the dictionary definition of a meme. They give the site makers a piece of mind, helping them sleep better at night, even if they may have no other practical purpose. Other site makers see them and reproduce them because it gives them the same piece of mind, exposing the banners to more site makers. Obviously, there are better ways to get a piece of mind as webmaster, but you'd need first to explain the problem to a lot of people before anything changes.
Websites can track you with localStorage, ETag headers and other cache-based methods, etc.
Some methods don’t event require any persistence on the client side, e.g. fingerprinting.
There's not much you can do about fingerprinting though. You can try to limit it in firefox with the resist-fingerprinting option, but that has its limits.
Although, to be honest, some (smaller) sites do it just because 'everybody does that' and they think they have to to comply to the law.
Agreed. I learned to ignore banners, but when I see a modal forcing me to do an action before proceeding, I can be 100% sure they're up to something slimy. So most of the time I just give up, I don't care that much about your website to lose my precious time clicking on stupid buttons.
Lately, I've also included in-your-face code of conduct or diversity rules, and fixed-position author portraits in blogs.
For YouTube it's opening with "hey guys!11!", forced hand gestures, manic editing (where pauses between phrases are shorter than between words), and superfluous stock imagery.
Life's too short and it's only getting shorter.
This isn’t the privacy solution we needed. It hasn’t changed the way users are tracked — it’s only annoyed people. The law needs to be reshaped to punish abusive companies, not users.
And it's _everywhere_. Turns out there are qualifying cancer-causing agents around every corner. Including gas stations, and no one doesn't go to the gas station because of the posted Prop 65 Warning.
So everyone ignores it. It has no effect for all the trouble they took to implement it.
After installing this, I rarely see any cookie popups.
Without a fundamental reshaping of the web economy, this isn't likely to change.
That's actually quite easy: leave any webpage with cookie banners as fast as possible. Or at least disable everything.
The problem is that most people blame 'the EU'.
So please everyone, lets call them what they actually are, they are tracking popups.
I feel like I can immediately tell how shady a site is by how annoying and passive aggressive their cookie banners are.
1. Privacy advocates are worked up about cookies.
2. Lawmakers decide to do something, it'll look good.
3. Web depends on ads, so they find workarounds.
4. Everyone suffers.
5. Return to step 1. <-- You are here.
I'd prefer to have a single prompt for all websites read something like: "You are about to browser the internet. The internet can track you, just like a native application but transparently such that you can inspect and see who and how it is done easily using built in tools to the web browser. Click accept to keep it this way? Otherwise, expect vendors find harder to understand and detect methods." [Proceed to the Internet, Stay home Instead]
82 more comments...
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK