If legitimate interest is actually legitimate then there is no reason to allow an opt-out. They allow it because the truth is that it wouldn’t actually fall under legitimate interests.
According to Finnish data protection ombudsman, data subject has right to object in case of legitimate or public interest. Data subject does not have right to object when it's based on contract or legal obligations.
Objection itself may or may not stop the processing of data. Usually it should, but there are some situations where it would still be allowed (e.g. "a task in the public interest that requires scientific or historical research or the compilation of statistics")
Now I don't know if there has been any decisions or not based on what kind of tracking would actually be legitimate interest (the text on the website is very ambiguous)
I have always wondered how a site is allowed to offer you an opt-in for anything that doesn't fall under legitimate interest. It would be driven by an illegitimate interest by assumption.
A legitimate interest is a use of personal information that is needed to fulfill a service. This would be something like a session cookie for storing the contents of a shopping cart, a site's preferences, or login information. Using a cookie is the only way to provide that, and the user is basically implicitly asking for something to be stored. It would be silly to have a consent checkboxes like "before you can shop with us we need your permission to register what you want to buy" or "you give us permission to share your address details with the delivery company so they can actually deliver stuff to you".
Annoyingly, legitimate interest covers more than that - it also covers opt-in-by-default to direct marketing. Yes, if a customer registers an account or makes a purchase, you can opt them in by default on the basis of "legitimate" interest[0].
Yeah, the problem with "legitimate interests" is they're being used for "build a marketing profile of you" and "send you targeted advertisements" anyway, with the excuse that they're interested in doing that as the basis of their business.
> A legitimate interest is a use of personal information that is needed to fulfill a service.
No, it's not. If you need it to fulfill a service, then you are covered by (b) of Article 6 GDPR I cited earlier:
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Legitimate interest under (f) would be something that is not strictly needed to provide the service but (1) beneficial to the processor and (2) does not unduly negatively affect the data subject.
> Thing I keep seeing and don't understand is "Legitimate interest" as a separate thing to consent.
I think it's like this:
Legitimate interest means you've signed up to use the product. It then is assumed that you understand that by signing up/logging in/buying something that you want to be tracked and known (otherwise, how will they know you are the same person who signed up just now?).
Consent doesn't require you to sign up for anything, just click "OK".
But as a result, if you have Legitimate Interest, then companies don't need to ask your permission to track you.
I guess we should ask the EU MPs who included this loophole in the GDPR law.
„Processing shall be lawful only if and to the extent that at least one of the following:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.“
This "loophole" is necessary to allow certain usecases not to need a banner or opt-in at all. E.g. If I want to buy something online, the shop has to know my adress to ship me something. It shouldn't have to ask to use it for that usecase. Otoh, if it does not ship me anything and still asks me for an address, that would not be legitimate interest anymore, except it can argue for it (e.g. needs the adress for the invoice).
I would argue that this loophole is for conveniency and was not a hot topic anywhere. How it used now however is a different thing.
The problem is that not having the legitimate interests clause in there potentially causes far more problems - suddenly the law has to enumerate what all the purposes for data processing might be, and new purposes are illegal by default. That would have produced even more HN outrage about GDPR.
Somewhat related, I got a new computer this week, and had to boot into windows so I could partition the HD to install linux. This was the first time in 15 years I have booted into a brand new "consumer" windows install (it was windows 10 pro). The "setup" was basically just 10 minutes of them asking in different ways if they could collect my personal data, track my location, send back telemetry etc. Office 365 is the same. I find some new thing every day that I have to opt out of to prevent them stealing my and my business data. Its like they have given up on trying to improve their products (which are basically stable) and shifted into finding more ways to steal data. As much as I dislike google for this, I realize I'm the product there, with Microsoft I thought I was paying to get business tools, not to be spied on. (To be fair, I then installed ubuntu which also wanted to send my data back to canonical)
Another example, I bought a car recently that defaults to stealing my personal information and sending it to the manufacturer. I had to call, and provide more information to them, to opt out (and I can only assume they are still stealing information they have deemed critical in some way)
Anyway, I'm reminded of all of this because I think the obfuscated cookie consents are just one facet of how hostile consumer tech has become to users. Aided by complex and ambiguous regulations, companies are able to stay within the letter of the law while making it impossible to just be left alone with your purchase and not be tracked and marketed to.
If there is a regulatory solution, it has to focus on clarity and spirit, not on just more rules. I'm not aware of an example of something like this working elsewhere.
One idea is a heavy tax on advertising. I've argued before that there is a lot in common between environmental pollution and the effects of advertising on the public value of the internet, and I would say this extends to tech generally. Charge a 25-40% tax on ad revenue, and make it less economic for companies to pollute.
> boot into windows so I could partition the HD to install linux
There's your mistake. Partitioning works just fine from the installer, or if the installer provides any live environment on the second virtual console, with gdisk or parted.
The money Microsoft gets from spying on paying users is sometimes called "surveillance dividend". Even if you pay for something, the company can make more money if they also spy on you.
Yup. It's so difficult to run Windows without accidentally agreeing to let them use your data however they'd like. They make it time consuming to opt out as well. Very frustrating at times.
It easily could take 10 minutes to actually read/decipher the word games being played to confuse the reader into accepting the preferred option the vendor wants. Just like it only takes seconds to accept the ToS/EULA because nobody reads them. If people did actually read them, it would take hours/days to do a "simple" install.
Are you talking about any particular individuals or organizations? Who are they? Is this just a general observation? In which case... what evidence do we have to support your statement? Are you suggesting 100% of individuals who support piracy also support privacy? Or is it more like 1%?
We're trying to prevent the data from being created and collected in the first place. Data is abundant after it's been created. Once it's in a database it's a lost cause.
That annoying "TRUSTe" modal. The one you see on java.com for example?
While I have seen less of the "30 seconds to save" issue recently (I dunno if it was a ublock origin update or the ad companies actually fix their scripts). The issue causing it was ublock origin. Looking at the network activity when it was happening (it pissed me off too), the script was sending a request to each of the partners with your prefence and the script had to wait for the timeout on the request (as ublock was blocking the request) before moving onto the next batch. this scaled over all the partners listed in their ad/tracking partners added up for a piss take of a long time.
But as I said for me personally when I see that particular opt in/out modal these days it saves almost instantly, so someone somewhere fixed it :-)
EDIT: thinking about it, it might of even been the addition of FireFox's built in tracker protection that "fixed" the issue for me. I can't recall extactly when I stopped seeing the TRUSTe modal take forever to save my prefs.
I don't know if uBlock Origin increases this further, but even without it it's ridiculous. We measured this just for fun in a paper last year [1]:
> Compared to accepting cookies, opting out causes an additional 279 HTTP(S) requests to 25 domains, which amounts to an additional 1.2 MB / 5.8 MB of data transfer (compressed / uncompressed).
"We can't be bothered to not load trackers without consent so we're going to make calls to all their endpoints and trust they'll respect that and not use the calls themselves to track you"
with a mix of:
"Hey, if we put a sleep(1) every 5 entries it's going to be slow and annoying and less people opt out"
The people doing it just know you won't like the explanation so they're not going to.
This cookie consent functionality should be something the browser reads and gives it to you on a standard format - like the https lock and other privacy info.
This is the correct goddamn answer. Or, better yet, get rid of cookies as a thing. The one and only legitimate use for them is session tracking, so why not provide a session storage mechanism instead? Every website gets a standard login/logout button with pluggable functionality for how you authenticate. And maybe, just maybe, we can then also have Persona-type identities that are stored and synced across all your devices so you just choose from a drop down of which identity you want to use to log in rather than typing usernames and passwords.
Any browser authentication functionality you create will track people exactly as well as 1st party cookies. So, just disallow 3rd party cookies, and get the exact same level of privacy.
Firefox does the "synchronize the authentication data across devices" thing too.
It already exists. If the user agent sends a Do-Not-Track header, the HTTP server will know the user has made their lack of consent explicit. This knowledge is available before the web application even gets control. There are no excuses and no ambiguities.
All courts have to do is request server logs and look for this header. If it's present and the company is found to be violating people's privacy, they are obviously guilty and should be condemned and fined.
The whole "website asks" thing seems like a stupid political answer to a technical problem. If the browser denied cookies by default (like it does with location, or webcam access etc) then the problem would be solved.
I suspect the reason Chrome doesn't do that already is that user tracking is essentially Googles business.
This is amusing and on point, kudos to the creator!
The biggest takeaway from this is the dark patterns sites aggressively use to trick you into accepting all their cookies, by making use of creative language that might take a while to parse for the impatient reader or setting buttons to common colours that might confuse someone into clicking.
I really wish there was just a setting in the browser that just says
- Accept 'functional/mandatory' cookies (with exclusion support for sites that abuse this...)
- Reject advertising cookies
- Reject personalisation cookies
- Reject analytics cookies
- Reject tracking cookies
etc. and this config is available for these GDPR banners to query and apply the appropriate settings.
I'm just using uBlockO as such a solution—with the hope that vast majority of problematic ‘third parties’ are already in the blocklists, at a given time.
I am not sure much trickery is needed having witnessed the speed at which some friends just click right past the warnings. Training Gerbils could not be easier.
people want their fix and they want it now and many are just apathetic to the idea of privacy on the net to the point we need a better solution.
I think it's less apathy and more that they don't understand the stakes. It's a lot like how laws in the US were written when data collection and processing was a manual task.
Sure, I could tail someone for two weeks, flash their email and SMS data, and flip through publicly available images of them. Or I can get a bunch of digital data points like GPS, wireless APs, and the actual emails and SMS data. Computers and databases make it trivial to sift through this data.
The average person likely doesn't understand how deep digital profiles can go. They think that because they use incognito to look up birthday gifts and porn, everything that's private stays private. What about when screen sharing a work presentation and there's a banner ad for cancer or addiction treatment? What about months of funeral care ads after searching for what to do after a parent or child dies?
People think that advertisers are wasting money since they see ads for the same purchase made a week prior. They'd be devastated if health insurance providers partnered with Visa or a tracking network to extract a "health risk" profile.
The DNT header got abused and sent by default, which gave companies the excuse that it wasn’t actually conveying a user selection, thus wasn’t reflective of their actual choice to avoid tracking. So it goes.
And this is exactly why I enabled the global "Disable JavaScript" option in
uBlock Origin. The frustration these popups constantly cause far outweighs the
slight annoyance of having to re-enable JS for some websites (and you can ask
uBO to remember those anyways).
That's a bit broken for me now. I don't see the popups but I still sometimes get the overlays that stop me scrolling and I have to turn off ublock for the site, click accept, and turn ublock back on.
And this is why the consent information/opt-in/out boxes ought to be able to run with JS disabled, too. It's easy enough to do that... but that easy if it's something that gets put on the site via JS.
Readit News
"You opted out of our cookies, but we're going to say we need them anyway, but you can still opt out of that".
It's somewhere between underhand and downright disturbing ("our interests override your lack of consent"? Eww)
https://tietosuoja.fi/en/what-rights-do-data-subjects-have-i...
Objection itself may or may not stop the processing of data. Usually it should, but there are some situations where it would still be allowed (e.g. "a task in the public interest that requires scientific or historical research or the compilation of statistics")
https://tietosuoja.fi/en/controller-s-legitimate-interests
Now I don't know if there has been any decisions or not based on what kind of tracking would actually be legitimate interest (the text on the website is very ambiguous)
No, that would be necessary interest, that's case (b) of the processing grounds [1] of Article 6 GDPR.
Legitimate interest is case (f). Basically, processing that is not strictly necessary, but beneficial to the processor.
[1] https://gdpr-info.eu/art-6-gdpr/
[0] https://ico.org.uk/for-organisations/data-protection-advice-...
No, it's not. If you need it to fulfill a service, then you are covered by (b) of Article 6 GDPR I cited earlier:
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Legitimate interest under (f) would be something that is not strictly needed to provide the service but (1) beneficial to the processor and (2) does not unduly negatively affect the data subject.
I think it's like this:
Legitimate interest means you've signed up to use the product. It then is assumed that you understand that by signing up/logging in/buying something that you want to be tracked and known (otherwise, how will they know you are the same person who signed up just now?).
Consent doesn't require you to sign up for anything, just click "OK".
But as a result, if you have Legitimate Interest, then companies don't need to ask your permission to track you.
„Processing shall be lawful only if and to the extent that at least one of the following:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.“
I would argue that this loophole is for conveniency and was not a hot topic anywhere. How it used now however is a different thing.
Deleted Comment
Another example, I bought a car recently that defaults to stealing my personal information and sending it to the manufacturer. I had to call, and provide more information to them, to opt out (and I can only assume they are still stealing information they have deemed critical in some way)
Anyway, I'm reminded of all of this because I think the obfuscated cookie consents are just one facet of how hostile consumer tech has become to users. Aided by complex and ambiguous regulations, companies are able to stay within the letter of the law while making it impossible to just be left alone with your purchase and not be tracked and marketed to.
If there is a regulatory solution, it has to focus on clarity and spirit, not on just more rules. I'm not aware of an example of something like this working elsewhere.
One idea is a heavy tax on advertising. I've argued before that there is a lot in common between environmental pollution and the effects of advertising on the public value of the internet, and I would say this extends to tech generally. Charge a 25-40% tax on ad revenue, and make it less economic for companies to pollute.
There's your mistake. Partitioning works just fine from the installer, or if the installer provides any live environment on the second virtual console, with gdisk or parted.
10minutes for something like 5 questions?
>and shifted into finding more ways to steal data
if they wanted to steal your data, then they'd ask you about it?
Because if they don't meet a bare minimum of decency and regulatory requirements, they will be fined a substantial % of their revenue.
They ask questions because if they didn't they wouldn't have a defense in court.
Also, even if you toggle "everything off" there is stolen data going through which you don't even have an option to disable.
When collecting usage data, the data is different each time you collect it, and its not a one-time event, it happens over and over.
I'm not condoning copying games, just saying its not a fair comparison to gathering your usage data.
While I have seen less of the "30 seconds to save" issue recently (I dunno if it was a ublock origin update or the ad companies actually fix their scripts). The issue causing it was ublock origin. Looking at the network activity when it was happening (it pissed me off too), the script was sending a request to each of the partners with your prefence and the script had to wait for the timeout on the request (as ublock was blocking the request) before moving onto the next batch. this scaled over all the partners listed in their ad/tracking partners added up for a piss take of a long time.
But as I said for me personally when I see that particular opt in/out modal these days it saves almost instantly, so someone somewhere fixed it :-)
EDIT: thinking about it, it might of even been the addition of FireFox's built in tracker protection that "fixed" the issue for me. I can't recall extactly when I stopped seeing the TRUSTe modal take forever to save my prefs.
> Compared to accepting cookies, opting out causes an additional 279 HTTP(S) requests to 25 domains, which amounts to an additional 1.2 MB / 5.8 MB of data transfer (compressed / uncompressed).
[1] https://informationsecurity.uibk.ac.at/pdfs/HWB2020_Consent_...
"We can't be bothered to not load trackers without consent so we're going to make calls to all their endpoints and trust they'll respect that and not use the calls themselves to track you"
with a mix of:
"Hey, if we put a sleep(1) every 5 entries it's going to be slow and annoying and less people opt out"
The people doing it just know you won't like the explanation so they're not going to.
Maybe some websites just add a ad-blocker penalty whether you opt in or out.
Firefox does the "synchronize the authentication data across devices" thing too.
All courts have to do is request server logs and look for this header. If it's present and the company is found to be violating people's privacy, they are obviously guilty and should be condemned and fined.
I suspect the reason Chrome doesn't do that already is that user tracking is essentially Googles business.
The biggest takeaway from this is the dark patterns sites aggressively use to trick you into accepting all their cookies, by making use of creative language that might take a while to parse for the impatient reader or setting buttons to common colours that might confuse someone into clicking.
I really wish there was just a setting in the browser that just says
- Accept 'functional/mandatory' cookies (with exclusion support for sites that abuse this...)
- Reject advertising cookies
- Reject personalisation cookies
- Reject analytics cookies
- Reject tracking cookies
etc. and this config is available for these GDPR banners to query and apply the appropriate settings.
people want their fix and they want it now and many are just apathetic to the idea of privacy on the net to the point we need a better solution.
Sure, I could tail someone for two weeks, flash their email and SMS data, and flip through publicly available images of them. Or I can get a bunch of digital data points like GPS, wireless APs, and the actual emails and SMS data. Computers and databases make it trivial to sift through this data.
The average person likely doesn't understand how deep digital profiles can go. They think that because they use incognito to look up birthday gifts and porn, everything that's private stays private. What about when screen sharing a work presentation and there's a banner ad for cancer or addiction treatment? What about months of funeral care ads after searching for what to do after a parent or child dies?
People think that advertisers are wasting money since they see ads for the same purchase made a week prior. They'd be devastated if health insurance providers partnered with Visa or a tracking network to extract a "health risk" profile.
In modern times, we hang a lot of hats on explicit contracts. If contracts don't work well, we're stuck for ideas.
The reductio ad absurdum is that contracts are supposed to be a flexible solution. Meanwhile, almost every implementation is a rote ruleset.
See "EasyList Cookie". https://easylist.to/
Or if you prefer to block social media junk too (as I do), Fanboy's Annoyance list includes both cookies and social blocking.
What would be there harder end level, the google or the facebook out out screens?