All this "do you agree to this and that" nonsense could be avoided by "inversion of control": instead of sites asking users whether they agree to this 100 page document, websites should be legally bound to listen and honor directives that users give about the data the sites gather.
For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.
Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.
> Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.
There was a W3C standard called P3P which is similar to what you describe. It was implemented by Internet Explorer, but fell into disuse long before cookie notices became common. Bringing back something like that would be an improvement over having to deal with cookie banners per site.
A much more naive version of this, the Do Not Track header, was removed from major browsers (partly) because it was actually being used for fingerprinting. I strongly suspect a less naive version would be subject to more abuse: as it gets more granular it becomes a fingerprint all on its own.
I understand that you’re suggesting pairing it with legal force, but I also highly doubt that would or could be effective in any kind of consistent way.
I think another reason Do Not Track failed is that advertisers (e.g. Google) didn't like it. Microsoft setting Do Not Track on by default in Internet Explorer was likely the death knell.
Attach it with legal force and money, as in allow users to sue for violations, and explicitly permit class actions with the definition of class (all people similarly situated; definition frequently abused by defendants) to be anyone with a browser.
Needs more work,, but the concept is that it needs to incentivize developers to develop track-the-tracker technologies that will catch violators, which then leads fairly directly to a profitable private suit (instead of relying on the overworked govt bureaus to do it).
For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.
And then you get Facebook spending millions of dollars taking out full-page ads in newspapers telling people that you are an evil demon who kicks puppies and hates small businesses.
(Ever notice that when Facebook wants to reach the most people, and the most important people, it uses newspapers, rather than its own platform?)
Personally, I find that this [0] doesn't break many sites at all, but messes with cookies to an appreciable extent. Combine this to an extensive use of that [1] and clearing your cache and cookies every day, and I think you're in decent shape while some heavy and heavily lobbied government body inches towards doing something about it.
I went a step further and installed Temporary Containers. Unless the domain is a special one (and goes in a long-lived container), a new tab cannot share any content with other tabs. Whenever the tab is closed all site-related content is removed.
It's still a bit wonky because some sites do redirections, and it's not properly caught (unless there's some option I missed)
The next step is to disable _all_ cookies, even first-party, by default (unless I have a special relationship with the domain of course). It's working surprisingly well and I believe this should be the default.
You’re on the right track. Browser makers should be on the users side and websites should have to honour users preferences which are configured and sent to sites in the headers.
No one wants to be tracked though but they want the website to work. “All cookies” seem to play with that line. Don’t track me but allow website to work must be enforced on the client side. It’s what we do with uBlock origin and things in the like.
They are required to have a button to let you manage preferences, and are required to allow you to disable all cookies that aren't necessary for the site to function.
So, on any GDPR cookie banner I always click the smaller "manage" link instead of the "accept all" button. On the manage page, disable every option provided, then close the modal. I've never had a site that offered this kind of banner break in any way because of the disabled cookies.
what about an even simpler mechanism - a website offers cookies to the browser, and the browser can choose to either store or not store that cookie. if the browser chooses not to store the cookie, it's up to the website to inform the user that their browser has rejected the cookie and explain what functionality won't be provided.
Would making all HTTP requests embed a header with a CCPA / GPDR claim be binding? It is as verifiable as any request through their form... its my original connection, so if they associate tracking data with me then they must associate this with me as well. Businesses should agree to my terms to make socket connections to me, else I should be able to see them in court. Proliferation is one way to end the modern shitty tracking madness.
> x-ccpa I do not consent to the sale or disclosure of my personal data and demand the deletion of my personal data per Californa CIV 1798.120, 1798.121, and 1798.105
At a basic level, you shouldn't have to declare that you haven't agreed to something. You have only agreed to it if you actually do something to agree to it. The only advantage this could possibly have is if the web sites stop asking you to agree if you tell them in advance that you won't. However, I can't see that it would be illegal for them to ask anyway, so they will.
Secondly, this is another thing that would be used to fingerprint the web browser.
We sometimes like to pretend that if a law is in force somewhere, it's in force everywhere, but that isn't the case. Otherwise, I'd be in serious trouble for saying I support Hong Kong independence. So you're creating these massively granular permissions and then passing some law, somewhere, saying they can't be used to fingerprint, but that's precisely what they will be used for everywhere the law isn't in force, which will likely be most of the world.
I said the same thing in a recent thread about cookies, and someone pointed out that there had been some kind of proposal along these lines, but it hadn't gotten any traction. I don't recall the name of it tho. (it wasn't Do Not Track, it was more complex, where cookies had some kind of "intent"/category associated with them).
eventually all sessions will have to operate like they are in a private window keeping the cookies permanently isolated to the host site visited and quarantine any third party cookies perhaps even find a means to spoof them.
in effect our browsers will need a db type tech to manage cookies and only serve them back when appropriate. a lot of what sites want to preserve for us; log in and such; can easily be done without cookies
Take a look at Global Privacy Control (GPC) which aims to do similar to what you’re describing, and is legally binding under CCPA and could be under GDPR too: https://globalprivacycontrol.org/
The most egregious violation I've seen is weather.com's cookie process. Go to https://weather.com/en-GB/ and click "Proceed with required cookies only". It's almost theatrical: first a spinning loading wheel, then the message "We are processing your request, this could take up to a few minutes to process." Then wait for their "Processing 0%" countdown take a few minutes to reach 100%. Anyone would think they are trying to discourage people from choosing that option?
Looking at the network requests when you hit that button it seems to be hitting a lot of tracking providers opt out API endpoints. Which is good I suppose, though better not to even include their scripts until you agree to it
There's another one of these things that's used on lots of sites, that takes three (3!) minutes, with no network requests or anything happening after the first couple of seconds. I forget the name of the company behind it, but it's a large one, one of the ones that sites proudly proclaim with a "protected by X" image.
It's beyond a dark pattern - it's plain fucking disgusting behaviour.
Still getting a unique finger print when I open a "private" browsing window. Might as well skip hard hats and use paper bags instead, the effectiveness is similar.
You'll be faced with 330+ individual agree/disagree toggles. THERE IS NO REJECT ALL BUTTON. If you're not technically inclined, you have to manually click them all.
You also have to choose block/remove consent (or whatever it is called) for similar crap hidden under the "Legitimate uses" category moniker. Same shit.
For this, and similar idiotic dark patters, there's a Firefox addon called "Unchecker".
Once the article got to opening the Dev Tools, I was surprised at the next approach: Copying the HTML into an editor, reformatting, copying into a C# project, setting up build rules for the copied HTML code, etc.
In this case I would always reach for typing a JavaScript oneliner into the dev console, using a couple of tricks:
1. Right click the element in the Inspector and choose "Copy" -> "CSS Selector".
2. Start typing the oneliner in the web dev console: Use [].slice.call(document.querySelectorAll("PASTED CSS SELECTOR")) to turn the elements into a JS array.
3. Use (...).map((o, i) => {...}).join("") to turn the JS array into a long formatted text string.
The result is the following, which took me a minute to type up and debug - from my perspective, a thousand times faster than firing up an IDE and setting up a new "project" to simply run a regex against some HTML.
{const rows = [].slice.call(document.querySelectorAll("li.vendor-item")).map((o, i) => {const idx = 1 + i; const name = o.querySelector(".vendor-title").textContent.trim(); const url = o.querySelector(".vendor-privacy-notice").href; return `|${idx}|${name}|[${url}](${url})|\n`}).join(""); `Listing As At 30 December 2020 08:10 GMT\n\n|-|Vendor| URL |\n|---|---|---|\n${rows}`}
Clever! It depends probably on the tech you are most comfortable with. I would probably copy to vscode and then use search & replace with regex there, or use multiline edit.
It isn't meaningless, it just means that users don't consent by default. That's the default state; permission should always be explicit.
Perhaps the header should be made to be easy to apply per domain, so websites can request tracking permissions, but in my opinion the necessity of the header is exactly the point of enabling it by default.
The header is simple: I do not want to be tracked. Do not track me. If you want to track me, ask me to disable the header so I can leave your website.
Honestly, I don't understand why this header wasn't mentioned in the ePrivacy directive the EU passed recently. There's a perfectly good way to communicate intent about tracking options to websites, and it's being blatantly ignored.
Honestly I think people accepted this claim too easily. First of all only one browser did that AFAIK. Second of all even if it were entirely opt in it’s another fingerprinting target and was actively being used for that. I really don’t think the people who would fingerprint DNT care one bit whether it’s an explicit statement of intent or not.
Somewhat related: Just yesterday the EU ePrivacy regulation took the first hurdle in Brussels. This will most likely bring some changes to the whole consent drama.
I'm not good at reading legalese and there seems to be no commentary for the current version[1] yet. What I understand is that they "encourage" browsers to implement "whitelists" (their choice of word, not mine) as a solution to "end-users [..] overloaded with requests to provide consent". I'm not sure there is an update regarding first-party analytics cookies which some hoped will be there.
I really wish this law had forced websites to respect a toggle in the browser UI instead of being allowed to engage in all their dark pattern shenanigans.
The cookie policies and laws are broken. The ever-annoying cookie popups are breaking the internet in more ways than it fixes it. The choice to make each website show their own cookie selection screens is part of all this.
I am one of the few that (most of the time) actually takes the time to click "Reject all" whenever possible. Some websites are EXTREMELY shady when it comes to this though and hides their targeted advertisement and user-profile building into their "legitimate interests" section that IS NOT automatically turned off even if you "reject all". You have to manually go trough them and "object" to each and every one of them. Often no "object to all" button.
Imagine if sex used the same notion of "consent":
"Ok so you rejected having intercourse with me, but I have a 'legitimate interest' in fellatio that you didn't specifically say no to, so now you have to!". It is just terrible..
"Legitimate interest" is a broken term in those cookie forms. Legitimate to whom? Of course any company has a legitimate interest in making buckets of money.
Every browser should have a mandatory "cookie preferences" section where you can set your preferences for each of the typical use-cases for cookies.
Strictly functional cookies? OK. Targeted advertisement? NO. Tracking between websites? NO. Measure site performance? OK. etc.etc.
Whatever role the current cookie panes now fill, the browser should take over using some standard. The preferences could get sent directly over HTTP with the initial page-load and the server/site would have to comply or face extreme fines.
With the browser approach you could maintain your own allow/blocklist for site-specific settings. All this could be synchronized across your various devices.
Only then would we not be annoyed by those popups again.
It isn't the law that is broken, but rather the enforcement.
All the concerns you raise here are covered by the law. It's illegal for it to take longer to reject tracking than to allow it, which should ban all these web site that try to get you to scroll through several hundred options turning them all off. "Legitimate interest" means that the whatever data they want to process is a necessary step in order to do what the user has asked for - for instance, the web site has to be able to set a login token cookie when you log in, and that's allowed because you literally just asked to log in, and that's the only way the web site can do what you asked.
All these web site are illegally making the cookie experience dire. They are doing it so that they can:
1. Collect data from people who get fed up and click accept, people who accidentally click accept, etc.
2. Annoy everyone and make people think that the laws are broken, which increases the chances that the laws will be changed in the future.
Enforcement would help with this, but there's little sign of it happening.
The concept of tracking as per the GDPR goes beyond cookies though. It includes any kind of personal data collection, and personal data refers to anything that can uniquely identify a person with reasonable certainty.
So cookies aren't the only thing that requires consent - things like browser fingerprinting and even collecting IP addresses for non-essential purposes (aka you can probably claim legitimate interest if you collect them for technical or fraud prevention reasons, but using that data for analytics or marketing would require consent).
This is also why I think clicking "accept all" on the cookie prompts with cookies disabled at the browser level isn't a good idea. You're still giving them permission to stalk you using other means than cookies, and they very well know that. At least use an ad-blocker which blocks the consent prompts completely - technically you never provided permission, so while they might still stalk you at least they don't have a legal basis for doing so.
The GDPR is less about the technical aspect of data collection and more about the intent behind said collection and the planned use for the collected data, something the browser can't really tell.
TL;DR: Thanks Europe for fixing something almost nobody cared about, by making the internet worse for everyone and by forcing society as a whole to spend money building terrible UIs.
And in the end, people still just Accept All because it's the fastest way to content.
It kind of seems like a second attempt to the do-not-track switch which was a failure. There must be strong backing in the laws for such feature to be meaningful otherwise nobody will respect it
Gods, but that sounds brilliant. Having a single toggle for non-essential cookies, even if it's on a site-by-site basis, would be a whole lot better than every website having it's own, different (and often highly dubious) way of handling things.
The cookie debacle has been going on for so long now, and is obviously not going away any time soon - surely there must have been draft RFCs or even W3C proposals along these lines at some point?
If a website had me jumping through too many hoops, I just don't bother. Many websites refuse to work without an egregious amount of third party JavaScript which makes it a pain in the ass to visit if you use uBlock Origin/uMatrix.
Let's be honest most of the websites that won't work without JavaScript aren't even really worth it. The content is usually garbage anyway.
Readit News
For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.
Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.
There was a W3C standard called P3P which is similar to what you describe. It was implemented by Internet Explorer, but fell into disuse long before cookie notices became common. Bringing back something like that would be an improvement over having to deal with cookie banners per site.
[1] https://github.com/w3c/dnt/commit/5d85d6c3d116b5eb29fddc6935...
I understand that you’re suggesting pairing it with legal force, but I also highly doubt that would or could be effective in any kind of consistent way.
Needs more work,, but the concept is that it needs to incentivize developers to develop track-the-tracker technologies that will catch violators, which then leads fairly directly to a profitable private suit (instead of relying on the overworked govt bureaus to do it).
And then you get Facebook spending millions of dollars taking out full-page ads in newspapers telling people that you are an evil demon who kicks puppies and hates small businesses.
(Ever notice that when Facebook wants to reach the most people, and the most important people, it uses newspapers, rather than its own platform?)
They do this when they want to get the attention of legislators, or the gatekeepers/editors of legacy corporate media outlets.
[0] uBlock Origin
https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...
[1] Firefox Multi-Account Containers
https://addons.mozilla.org/en-US/firefox/addon/multi-account...
It's still a bit wonky because some sites do redirections, and it's not properly caught (unless there's some option I missed)
The next step is to disable _all_ cookies, even first-party, by default (unless I have a special relationship with the domain of course). It's working surprisingly well and I believe this should be the default.
A good extension for the cookie part is https://github.com/Cookie-AutoDelete/Cookie-AutoDelete - it deletes all cookies from a site after you close the tab.
They are required to have a button to let you manage preferences, and are required to allow you to disable all cookies that aren't necessary for the site to function.
So, on any GDPR cookie banner I always click the smaller "manage" link instead of the "accept all" button. On the manage page, disable every option provided, then close the modal. I've never had a site that offered this kind of banner break in any way because of the disabled cookies.
> x-ccpa I do not consent to the sale or disclosure of my personal data and demand the deletion of my personal data per Californa CIV 1798.120, 1798.121, and 1798.105
Secondly, this is another thing that would be used to fingerprint the web browser.
We sometimes like to pretend that if a law is in force somewhere, it's in force everywhere, but that isn't the case. Otherwise, I'd be in serious trouble for saying I support Hong Kong independence. So you're creating these massively granular permissions and then passing some law, somewhere, saying they can't be used to fingerprint, but that's precisely what they will be used for everywhere the law isn't in force, which will likely be most of the world.
It's really really hard to come up with a machine readable code that encapsulates what each cookie means and does.
Also obviously true bad actors would just lie.
in effect our browsers will need a db type tech to manage cookies and only serve them back when appropriate. a lot of what sites want to preserve for us; log in and such; can easily be done without cookies
Deleted Comment
Why? That sounds illegal.
Why doesn't it simply not load the trackers?
> Weather.com - an IBM business
felt like it explained this design pattern perfectly
It's beyond a dark pattern - it's plain fucking disgusting behaviour.
As I mentioned in my other comment, I suspect it's actually forbidden by the GDPR, but that doesn't stop anyone.
I realise it's comically unenforced, but doesn't the GDPR forbid websites from doing that?
Obvious ugly workaround: use a Private Browsing session for that website.
Choose not to accept / options.
You'll be faced with 330+ individual agree/disagree toggles. THERE IS NO REJECT ALL BUTTON. If you're not technically inclined, you have to manually click them all.
You also have to choose block/remove consent (or whatever it is called) for similar crap hidden under the "Legitimate uses" category moniker. Same shit.
For this, and similar idiotic dark patters, there's a Firefox addon called "Unchecker".
https://addons.mozilla.org/en-US/firefox/addon/unchecker/
That, is, of course, until they start using buttons (some already do), double negatives in the wording or some such crap.
In this case I would always reach for typing a JavaScript oneliner into the dev console, using a couple of tricks:
1. Right click the element in the Inspector and choose "Copy" -> "CSS Selector".
2. Start typing the oneliner in the web dev console: Use [].slice.call(document.querySelectorAll("PASTED CSS SELECTOR")) to turn the elements into a JS array.
3. Use (...).map((o, i) => {...}).join("") to turn the JS array into a long formatted text string.
The result is the following, which took me a minute to type up and debug - from my perspective, a thousand times faster than firing up an IDE and setting up a new "project" to simply run a regex against some HTML.
[0]: https://en.m.wikipedia.org/wiki/Do_Not_Track
Perhaps the header should be made to be easy to apply per domain, so websites can request tracking permissions, but in my opinion the necessity of the header is exactly the point of enabling it by default.
The header is simple: I do not want to be tracked. Do not track me. If you want to track me, ask me to disable the header so I can leave your website.
Honestly, I don't understand why this header wasn't mentioned in the ePrivacy directive the EU passed recently. There's a perfectly good way to communicate intent about tracking options to websites, and it's being blatantly ignored.
Which is what it should have been to begin with: a “do track” header that no sane person would opt in for.
The whole “people consent to everything unless they go out of their way to say otherwise” thing is a farce.
By honoring it they would loose an advantage over all the other ones who don't.
I'm not good at reading legalese and there seems to be no commentary for the current version[1] yet. What I understand is that they "encourage" browsers to implement "whitelists" (their choice of word, not mine) as a solution to "end-users [..] overloaded with requests to provide consent". I'm not sure there is an update regarding first-party analytics cookies which some hoped will be there.
[1] https://data.consilium.europa.eu/doc/document/ST-6087-2021-I...
I am one of the few that (most of the time) actually takes the time to click "Reject all" whenever possible. Some websites are EXTREMELY shady when it comes to this though and hides their targeted advertisement and user-profile building into their "legitimate interests" section that IS NOT automatically turned off even if you "reject all". You have to manually go trough them and "object" to each and every one of them. Often no "object to all" button.
Imagine if sex used the same notion of "consent": "Ok so you rejected having intercourse with me, but I have a 'legitimate interest' in fellatio that you didn't specifically say no to, so now you have to!". It is just terrible..
"Legitimate interest" is a broken term in those cookie forms. Legitimate to whom? Of course any company has a legitimate interest in making buckets of money.
Every browser should have a mandatory "cookie preferences" section where you can set your preferences for each of the typical use-cases for cookies. Strictly functional cookies? OK. Targeted advertisement? NO. Tracking between websites? NO. Measure site performance? OK. etc.etc.
Whatever role the current cookie panes now fill, the browser should take over using some standard. The preferences could get sent directly over HTTP with the initial page-load and the server/site would have to comply or face extreme fines.
With the browser approach you could maintain your own allow/blocklist for site-specific settings. All this could be synchronized across your various devices.
Only then would we not be annoyed by those popups again.
All the concerns you raise here are covered by the law. It's illegal for it to take longer to reject tracking than to allow it, which should ban all these web site that try to get you to scroll through several hundred options turning them all off. "Legitimate interest" means that the whatever data they want to process is a necessary step in order to do what the user has asked for - for instance, the web site has to be able to set a login token cookie when you log in, and that's allowed because you literally just asked to log in, and that's the only way the web site can do what you asked.
All these web site are illegally making the cookie experience dire. They are doing it so that they can:
1. Collect data from people who get fed up and click accept, people who accidentally click accept, etc.
2. Annoy everyone and make people think that the laws are broken, which increases the chances that the laws will be changed in the future.
Enforcement would help with this, but there's little sign of it happening.
No one ever used it, and over time it got more and more hidden. It's still there if you look for it.
So cookies aren't the only thing that requires consent - things like browser fingerprinting and even collecting IP addresses for non-essential purposes (aka you can probably claim legitimate interest if you collect them for technical or fraud prevention reasons, but using that data for analytics or marketing would require consent).
This is also why I think clicking "accept all" on the cookie prompts with cookies disabled at the browser level isn't a good idea. You're still giving them permission to stalk you using other means than cookies, and they very well know that. At least use an ad-blocker which blocks the consent prompts completely - technically you never provided permission, so while they might still stalk you at least they don't have a legal basis for doing so.
The GDPR is less about the technical aspect of data collection and more about the intent behind said collection and the planned use for the collected data, something the browser can't really tell.
And in the end, people still just Accept All because it's the fastest way to content.
It kind of seems like a second attempt to the do-not-track switch which was a failure. There must be strong backing in the laws for such feature to be meaningful otherwise nobody will respect it
The cookie debacle has been going on for so long now, and is obviously not going away any time soon - surely there must have been draft RFCs or even W3C proposals along these lines at some point?
Let's be honest most of the websites that won't work without JavaScript aren't even really worth it. The content is usually garbage anyway.
If I still see a popup, I just leave. I refuse to interact with popups. That was true in the 90's, and it's true today.