There are sites (like wwe.com) where after you have successfully located the preference to opt out from everything it shows a "processing" screen which is stuck at 98% for about a minute. But accept is "processed" in an instant. Another dark pattern is showing you have opted out but some sites cannot receive opt out requests through https which is written in small fonts. By doing this they have successfully targeted security conscious people. I know this is not something major, but still, how do these people sleep at night?
edit: I looked it up and wwe.com uses TrustArc, which seems to be a shady org certifying privacy. Mired in controversy, they have even settled a case with FTC in 2014 for $200,000. I'm guessing when push comes to shove and EU actually decides to prosecute they will pay a similar amount. I bet that amount is already in there books, set aside as "future risk management" or something like that. Just the cost of doing business.
> There are sites (like wwe.com) where after you have successfully located the preference to opt out from everything it shows a "processing" screen which is stuck at 98% for about a minute. But accept is "processed" in an instant.
How desperate does one have to be to work as a developer on projects like this?
>I know this is not something major, but still, how do these people sleep at night?
Easily and without issues. Humans are very good at making sure they do not feel themselves to be evil. A mass murderer will blame everyone except themselves or rationalize their actions as just.
Things which come to mind in 30 seconds:
"The regulation is draconian and it is just to fight it in any way possible."
"Our business helps people and working around this helps our business and thus helps people."
"If people really wanted and weren't simply mindlessly clicking buttons this won't stop them so we're actually helping user's enact their will."
"We put all this effort into the business, it's evil for the government to interfere for wishy washy reasons."
> There are sites (like wwe.com) where after you have successfully located the preference to opt out from everything it shows a "processing" screen which is stuck at 98% for about a minute. But accept is "processed" in an instant.
This one drives me nuts! It's just such a brazen and blatent piss-take - "you won't let us hoover up your data and sell it to everyone we can? Then we'll punish you".
> it shows a "processing" screen which is stuck at 98% for about a minute
Proximus [0], the partially state-owned and largest telecom provider in Belgium, uses this pattern too.
Additionally, on mobile, scrolling through the cookie-usage options automatically selects the maximum invasive option. The 'scroll-touch' is registered as a regular touch selecting the option.
Shows a popup, saying "we collect your data yadda yadda yadda". Then there were two buttons. One to agree to that. One to manage it. But clicking on the manage button just took a user to screens and screens of garbage information mainly listing the companies that used the information. Without any option to opt out (you could contact them to opt out, I assume individually). There was a button (if you drilled through the screens) which seemed to imply that it would link to a page that allowed opting out, but all it did was take you back to the first screen of the popup. Unreal. Somebody has thought about that; absolute cretins.
They've changed that so that now there is opt out toggles (which are obviously all split into groups and are all on by default and so on), I assume because of someone in legal tapping them on the shoulder?
And, an "accept" holds for seemingly till the end of time, while a "I don't accept" is valid not much more than the mouse button click echoes through my room before you stand before the dialog box yet again, contemplating why you don't do something more useful with your life.
Thank you for mentioning this. I feel as if I have to repeatedly jump through those hoops to decline on the very same sites every other day, if not visit.
Surely the GDPR has to have the foresight of dictating that my choice to accept or decline has to be valid for an equal amount of time, doesn't it? If I'm confronted with that popup as long as I'm declining the regulations are worthless.
On sherdog.com, you get a giant cookie dialogue that covers half screen on mobile.
If you don't accept, but click on "cookie settings" instead, a page will tell you that you can't choose to block 3rd party cookies unless you accept their 3rd party cookie, because they need to save your setting of not accepting 3rd party cookies in a 3rd party cookie. It's not a Monty Python episode, it's real: https://ibb.co/6YFpGWK
alternatively, if you click on the next link, you will be taken to a page that explains how to disable cookies in all latest-gen browsers such as Netscape 3 or IE 4.0:
One of the only websites I've seen that offers a big and clear "Decline" button is NextRoll's advertising service [0], e.g. seen on Texas Instruments' website [1]. But I haven't checked whether clicking the "Decline" button actually opts out everything.
My company actually did a very extensive study on this and found that the majority of websites utilize dark patterns. Only 25% of sites are even legally compliant even after deploying consent management software. Companies are openly flouting privacy laws and we actually found some of the worst offenders in the app space where consent mechanisms don't even exist within the apps themselves.
I have seen worse. Der Speigel has "Accept" and redirection to sign up page for a paid subscription. I wan under the impression that forcing people to agree to tracking by withholding services until they do is not allowed under GDPR. Well, apparently it is.
> I wan under the impression that forcing people to agree to tracking by withholding services until they do is not allowed under GDPR.
You're 100% correct in your assumption. Der Spiegel is treading on thin ice here, or at least I hope they are.
Here's the relevant GDPR text:
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment [1]
I'm wondering if enforcing this on the browser level wouldn't make more sense. I mean, if a site use cookies or wants to track you in any other ways it would have to ask for your permission the same way you are asked before accessing your camera or microphone. You could opt-in or opt-out which should be the default if you don't make any choice. Then the sites would have to clearly stop you from accessing their content if you didn't opt-in, the same way you are stopped with paywalls. I think this would be much more transparent if we really want to teach people that they can pay for the content either with their money or their data. Of course another choice would be to just avoid these sites whatsoever.
Cookies are just a mechanism - tracking information about you without cookies (e.g. by associating it with your IP address and/or other identifying bits) needs just as much consent. A purely technical solution cannot work.
Browsers could still provide a consent API but without strict enforcement it would be pointless - and with proper enforcement you don't need it.
This is how it should be. Unfortunately even if this becomes a standard I can foresee Google dragging their feet on this and never implementing, and providers refusing to comply on grounds of "the user didn't reeeeeally mean to block tracking".
The tracking banners frenzy gdpr started is unbearable. It has decreased the usability of the web significantly.
Everyone is obsessed with improving page loading time but what does worth that the page loads instantly if I have to navigate a maze of banner consent screens before I can see the content behind it
Why can't everyone at least agree on the same banner format / ui or have it delegated to the browser behind some native browser functionality like autocomplete
The reason is that if it's done in the browser then a person's preferences will apply to every website they use with that browser. Publishers will not want that as they hope that users will give them more consent than other web sites (I certainly do give some websites full permissions if I like them, others are a 'reject all' and 'object all')
Also, your consent preferences are stored under that website's cookie. There is the option of a global cookie but nobody uses it. This cookie data is then sent to everyone involved in the adtech chain (which is causing issues since it can be multiple KB's in size). It's format is described in [0]
GDPR does not require any banners or consent dialogs at all for cookies that are necessary for authentication, navigation, or keeping track of shopping cart contents in the current session, etc.
It's only the unnecessary tracking that needs explicit consent. So it's a good thing if such sites are slow to load and have to present irritating banners for legal reasons. This will hopefully put them at a competitive disadvantage compared to sites that don't insist on tracking their customers.
It'd be useful if the author revealed how she managed to obtain her data. I am pretty sure that a request with just your real name wouldn't reveal much. I assume that most data is collected under some identifier which isn't matched to your real name in order to thwart this kind of request.
Send an email to the address specified (privacy@quantcast.com) with your information and what you're trying to accomplish (typically either a disclosure of what personal information they have on you, or erasure of any said information).
They will almost certainly satisfy your request (even if you don't truly live in California or the EU) because there are significant regulatory repercussions for not responding to legitimate requests. Or at least that's how it works at the big company I work for.
I actually e-mailed to the author a year ago to ask that very question.
Her answer was that she provided her cookie ID to Quantcast and then asked for any data associated with that ID. She also promised me to include that information in the article to prevent confusion, but she never did.
Ironically, Quantcast only knew her real identity after the request.
Is this comment and that website [0] sarcasm? What exactly are you automating? The theft of my PII or the opposite? On this matter your privacy policy[1] confuse me.
One more reason to make sure your email account is not compromised in any way. I have many emails associated with my 'profile'. If one of those is compromised somebody could potentially request all of my data.
Requests for information should only be fulfilled with a notarized identification verification. The potential for security breaches here is massive.
In your request, let them know that you are specifically wanting to see what data they have that needs to be updated/corrected. Let them know that the ads you are getting are currently not working, and you are only wanting to help them fix the problem.
The data quantcast collects and stores is associated with cookies in the browser. Generally, you would have to visit their site to allow their code to query the data associated with their domain from your browser.
What to me _seems_ to be much more likely though is that multiple cookies are connected to a classification ID that multiple other users may also be connected to and that to identify your PII within their system you'll need to provide your user name.
I'd also like to know this. It seems like asking this organisation to delete my data would be largely beneficial, but what data do I need to provide for them to do it?
According to GDPR, the contact info for sending an access or deletion request must be provided in the Privacy Policy.
Under GDPR (Europe), if you send a request, the company must honor it unless they have reason to doubt your identity, in which case they must ask for follow-up. Under CCPA (California), they are only obligated to honor "verified" requests. There's a range of what counts as verifying, from just being able to log in to your account on the low end, up to providing 3 pieces of matching data on the high end.
The company is obligated to tell you what data they have. They are not obligated to go out of their way to make connections, though, so you're better served by providing as many identifiers as possible (like account numbers).
This is explicitly false. Mastercard or Experian might know her name but this would not be shared for an audience. Its simply cookie123 is in audience456.
I bought a NET10 international SIM card 7 years ago. Only used it for a couple weeks. Last month I asked them to delete my account. Spoke to 3 people and they weren't able to do it. One agent outright lied and said he did, but I was still able to log in after the fact. The best they managed was to change some of the profile details on the account (name, etc).
I submitted a formal request under California's "Right to Delete" legislation (CCPA section 1798.105).
The response was a formal letter from the parent company denying my request. It's a template letter with legalese bullshit that's totally inapplicable (e.g. they argue there's still a "business relationship", even though we haven't done any business in 7 years).
NET10 is owned by TracFone Wireless, which in turn is 100% owned by América Móvil (NYSE:AMX, $41B market cap). I believe they had my address, email address, phone number, date of birth, etc.
It's disgusting what these giant telco bastards get away with. Why don't US laws have the same "teeth" as GDPR, and any advice to force them to delete my data? (e.g. If anyone here advocates for this sort of thing on social media and wants a slightly-redacted copy of the letter to publicly shame them I'd be happy to deliver that).
FWIW, the GDPR doesn't have too much teeth, either; most big players haven't received big fines. The biggest fine to date has been the French fine of EUR 50m on Google, and Facebook has gotten off almost entirely scot-free so far. That should tell you almost everything you need to know about how effective the GDPR has been.
Of course, I don't mean to say the GDPR is useless. There's a lot of good work being done, and an Italian telecom was fined ~EUR28 mn for violations similar to what you had to face. I just think GDPR enforcement needs to step it up and hit the usual suspects with fines that go beyond a slap on the wrist for it to really change the world. You can track major fines using an enforcement tracker, I check on [1], but you can also just google it every now and then to stay up to date.
To be fair, it's pretty difficult to sue a megacorp and make it stick, so I suspect that we won't see either Google or FB be massively penalised till late 2021 or early 2022.
By which point FB will no longer exist in Europe (as they recently claimed that the Privacy Shield ruling would require them to do).
This reminds me of a story of a litte boy that just said: "I like seeing personalized ads."... while dragging everyone with him.
It is incredible that this industry is allowed to operate like it does. If it vanished over night nothing would happen. The EU just had its strategy changed and pronounced that it is everyone's civic duty to share even more.
Doubtful it would be able to handle advertisers. Although I don't think many countries would be.
> The EU just had its strategy changed and pronounced that it is everyone's civic duty to share even more.
What do you mean? I don’t really understand what that would mean, or what you’re referencing. Was that part of the State of the Union, or is it another announcement?
Edit: I found it. It’s an information based on EU strategy document from February.
It wants to market private information of citizens. Justification is that big tech companies already do so. The difference is that not everyone is on facebook/instagram.
Ultimate Hosts Blacklist: 1 million blocked domains (once in a while you might need to unblock something) and also a bonus known hacking IP blocklist (prevents common hacking sources). https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist
If you have iOS device install an ad blocker app like AdBlock Fast, this plugs to practically all web sessions in the phone.
The personal data industry is truly disgusting but the really funny thing is that most of the data is actually worthless. Its collected only because it can be. Not because its valuable or worthwhile. These companies are basically hoarders. Hoarders that rummage through your trash and spy on you from afar. They are awful, the business is awful and is a viable case of "just because you can, should you?"
Indeed it's totally worthless data, like what are you going to do, dissect people into groups that you could heavily target and try to sell them gizmos or swing an election? Pfft, not worth the effort. There are no companies or state actors are into that kind of thing.
Individual data is useless, but big data is worth gold. It can show you exactly where your target audiance is, and what they're common interests are. That's super valuable information if you want to start ad campaigns.
It has worth, only not the way you mean. It may (or may not) lead to better sales through ads, but it leads to more and more expensive ad sales and some very wealthy companies.
It occurred to me that if you want to see fewer ads and be generally left alone by marketers, get your IP and online data footprint associated with pariah topics like fringe news sites, weird subcultures, edgy politics, drug use, and privacy.
Basically like being a hacker in the 1980s and 90s, or even part of early rave culture, where the sort of people who work in marketing would be afraid or uncomfortable with being associated with you before the culture is gentrified by people preoccupied by their reputations, and you can be free to create and innovate without being co-opted.
No doubt they still have a category for you, but it's marked as a minefield, which is as good a moat as any.
Do you guys see any ads online? I have ublock origin on my laptop and mobile browsers, modded youtube and instagram with no ads on android. I pretty much never see any ad.
I also add the Annoyances lists to uBlock and I have the "I don't care about cookies" extension to ignore cookie popups.
This is a dangerous game. Be aware that just because it might not seem like anyone is using these data against you right now, doesn't mean they won't in the future.
Another option is to make the choice to not support companies affiliated with the ad-tech industry and just use an ad-blocker. They will even block most black-pattern ridden GDPR popups.
Every time I read "We value your privacy" I want to throw something at my computer screen.
The amount of dark patterns and dishonesty in targeted advertising is astonishing.
Readit News
edit: I looked it up and wwe.com uses TrustArc, which seems to be a shady org certifying privacy. Mired in controversy, they have even settled a case with FTC in 2014 for $200,000. I'm guessing when push comes to shove and EU actually decides to prosecute they will pay a similar amount. I bet that amount is already in there books, set aside as "future risk management" or something like that. Just the cost of doing business.
How desperate does one have to be to work as a developer on projects like this?
Easily and without issues. Humans are very good at making sure they do not feel themselves to be evil. A mass murderer will blame everyone except themselves or rationalize their actions as just.
Things which come to mind in 30 seconds:
"The regulation is draconian and it is just to fight it in any way possible."
"Our business helps people and working around this helps our business and thus helps people."
"If people really wanted and weren't simply mindlessly clicking buttons this won't stop them so we're actually helping user's enact their will."
"We put all this effort into the business, it's evil for the government to interfere for wishy washy reasons."
This one drives me nuts! It's just such a brazen and blatent piss-take - "you won't let us hoover up your data and sell it to everyone we can? Then we'll punish you".
Proximus [0], the partially state-owned and largest telecom provider in Belgium, uses this pattern too.
Additionally, on mobile, scrolling through the cookie-usage options automatically selects the maximum invasive option. The 'scroll-touch' is registered as a regular touch selecting the option.
It's hard to believe this is by accident.
[0] https://www.proximus.be
Shows a popup, saying "we collect your data yadda yadda yadda". Then there were two buttons. One to agree to that. One to manage it. But clicking on the manage button just took a user to screens and screens of garbage information mainly listing the companies that used the information. Without any option to opt out (you could contact them to opt out, I assume individually). There was a button (if you drilled through the screens) which seemed to imply that it would link to a page that allowed opting out, but all it did was take you back to the first screen of the popup. Unreal. Somebody has thought about that; absolute cretins.
They've changed that so that now there is opt out toggles (which are obviously all split into groups and are all on by default and so on), I assume because of someone in legal tapping them on the shoulder?
Surely the GDPR has to have the foresight of dictating that my choice to accept or decline has to be valid for an equal amount of time, doesn't it? If I'm confronted with that popup as long as I'm declining the regulations are worthless.
If you don't accept, but click on "cookie settings" instead, a page will tell you that you can't choose to block 3rd party cookies unless you accept their 3rd party cookie, because they need to save your setting of not accepting 3rd party cookies in a 3rd party cookie. It's not a Monty Python episode, it's real: https://ibb.co/6YFpGWK
alternatively, if you click on the next link, you will be taken to a page that explains how to disable cookies in all latest-gen browsers such as Netscape 3 or IE 4.0:
http://www.allaboutcookies.org/manage-cookies/
Needless to say, I now exclusively use Sherdog's competitor, Tapology.com
[0] https://www.nextroll.com/trust-center
[1] https://www.ti.com/product/TPS543620
https://www.spiegel.de
https://imgur.com/VWBmUzU
You're 100% correct in your assumption. Der Spiegel is treading on thin ice here, or at least I hope they are.
Here's the relevant GDPR text:
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment [1]
[1] https://gdpr.eu/gdpr-consent-requirements/
Browsers could still provide a consent API but without strict enforcement it would be pointless - and with proper enforcement you don't need it.
> It's essentially them hoping that when fines get handed out, they just get a warning because they tried.
I believe it's against the letter of the GDPR, but as it isn't being enforced, we can expect this kind of thing to continue.
Everyone is obsessed with improving page loading time but what does worth that the page loads instantly if I have to navigate a maze of banner consent screens before I can see the content behind it
Why can't everyone at least agree on the same banner format / ui or have it delegated to the browser behind some native browser functionality like autocomplete
The reason is that if it's done in the browser then a person's preferences will apply to every website they use with that browser. Publishers will not want that as they hope that users will give them more consent than other web sites (I certainly do give some websites full permissions if I like them, others are a 'reject all' and 'object all')
Also, your consent preferences are stored under that website's cookie. There is the option of a global cookie but nobody uses it. This cookie data is then sent to everyone involved in the adtech chain (which is causing issues since it can be multiple KB's in size). It's format is described in [0]
[0] https://github.com/InteractiveAdvertisingBureau/GDPR-Transpa...
They want to track you to death, and put the burden of tiptoeing the law on you.
It's only the unnecessary tracking that needs explicit consent. So it's a good thing if such sites are slow to load and have to present irritating banners for legal reasons. This will hopefully put them at a competitive disadvantage compared to sites that don't insist on tracking their customers.
* sorry I meant strongly advising using legalese
P.s. I'll throw an internet party when Hotjar go out of business. Creepy fucks ruin the load time of every site they tarnish.
[1]: https://www.quantcast.com/privacy/data-subject-rights/ [2]: https://www.quantcast.com/privacy/
They will almost certainly satisfy your request (even if you don't truly live in California or the EU) because there are significant regulatory repercussions for not responding to legitimate requests. Or at least that's how it works at the big company I work for.
Deleted Comment
Her answer was that she provided her cookie ID to Quantcast and then asked for any data associated with that ID. She also promised me to include that information in the article to prevent confusion, but she never did.
Ironically, Quantcast only knew her real identity after the request.
To Quantcast she was just a cookie with some events that ultimately indicated she might like x and has shown interest in buying y.
Sorry if I'm being a daft punk.
[0] https://www.privicy.com [1] https://www.privicy.com/legal/privacy-policy
It's enough to email from the address thats associated with the account. Generally speaking.
Requests for information should only be fulfilled with a notarized identification verification. The potential for security breaches here is massive.
Under GDPR (Europe), if you send a request, the company must honor it unless they have reason to doubt your identity, in which case they must ask for follow-up. Under CCPA (California), they are only obligated to honor "verified" requests. There's a range of what counts as verifying, from just being able to log in to your account on the low end, up to providing 3 pieces of matching data on the high end.
The company is obligated to tell you what data they have. They are not obligated to go out of their way to make connections, though, so you're better served by providing as many identifiers as possible (like account numbers).
What do you think they'll do with a cookie id associated to a few events?
Deleted Comment
I've only done this for deletion of data by the way.
I submitted a formal request under California's "Right to Delete" legislation (CCPA section 1798.105).
The response was a formal letter from the parent company denying my request. It's a template letter with legalese bullshit that's totally inapplicable (e.g. they argue there's still a "business relationship", even though we haven't done any business in 7 years).
NET10 is owned by TracFone Wireless, which in turn is 100% owned by América Móvil (NYSE:AMX, $41B market cap). I believe they had my address, email address, phone number, date of birth, etc.
It's disgusting what these giant telco bastards get away with. Why don't US laws have the same "teeth" as GDPR, and any advice to force them to delete my data? (e.g. If anyone here advocates for this sort of thing on social media and wants a slightly-redacted copy of the letter to publicly shame them I'd be happy to deliver that).
Of course, I don't mean to say the GDPR is useless. There's a lot of good work being done, and an Italian telecom was fined ~EUR28 mn for violations similar to what you had to face. I just think GDPR enforcement needs to step it up and hit the usual suspects with fines that go beyond a slap on the wrist for it to really change the world. You can track major fines using an enforcement tracker, I check on [1], but you can also just google it every now and then to stay up to date.
1: https://www.coreview.com/blog/alpin-gdpr-fines-list/
By which point FB will no longer exist in Europe (as they recently claimed that the Privacy Shield ruling would require them to do).
Google and Facebook operate with impunity in Europe, as do even sketchier data brokers and ad networks.
The end result of the GDPR was end user annoyance, protectionism for EU companies and the protection of monopolies.
It is incredible that this industry is allowed to operate like it does. If it vanished over night nothing would happen. The EU just had its strategy changed and pronounced that it is everyone's civic duty to share even more.
Doubtful it would be able to handle advertisers. Although I don't think many countries would be.
What do you mean? I don’t really understand what that would mean, or what you’re referencing. Was that part of the State of the Union, or is it another announcement?
Edit: I found it. It’s an information based on EU strategy document from February.
“The EU is launching a market for personal data”
https://www.technologyreview.com/2020/08/11/1006555/eu-data-...
That doesn’t look good...
Corporation block lists (e.g. Facebook, Google) https://github.com/jmdugan/blocklists/tree/master/corporatio...
"Someone Who Cares" list http://someonewhocares.org/hosts/
Ultimate Hosts Blacklist: 1 million blocked domains (once in a while you might need to unblock something) and also a bonus known hacking IP blocklist (prevents common hacking sources). https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist
If you have iOS device install an ad blocker app like AdBlock Fast, this plugs to practically all web sessions in the phone.
I use it in combination with uBlock Origin: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...
There's no extra benefit beyond uBlock Origin, which already blocks requests before they are made.
* Firefox with third party cookies blocked * uBlock Origin with the usual blocklists * PiHole
Basically like being a hacker in the 1980s and 90s, or even part of early rave culture, where the sort of people who work in marketing would be afraid or uncomfortable with being associated with you before the culture is gentrified by people preoccupied by their reputations, and you can be free to create and innovate without being co-opted.
No doubt they still have a category for you, but it's marked as a minefield, which is as good a moat as any.
I also add the Annoyances lists to uBlock and I have the "I don't care about cookies" extension to ignore cookie popups.
I highly recommend AdAway if you use Android.
Name a more iconic duo.