> In europe, all websites require you to accept cookies
It is always worth pointing out that the complex dark-pattern filled forms that many sites use are there choice and not impressed by the relevant legislation.
They could just make it all opt in/out with a single click, but they know that without the trickery very few users will do opt in to being stalked so instead they try make it as difficult as possible in the hope that you agree to everything either accidentally or just because you are such of it and want the form to go away. I just back away from sites like that and in particularly egregious cases I've blocked them at the network level with a DNS blacklist: the information I'm looking for has always also been available somewhere else less irritating.
I want to reject all of them, at a protocol level, and never see another one again. That this wasn't written into the "Cookie Law" is proof to me that GDPR and Schrems II are largely written by people who don't understand the technical ramifications of pushing legislation like this through.
They literally are. If a consent form has an “allow all” button but no “reject all”, as many do, then it is not compliant. Likewise for “legitimate interest” (that one really gets my hackles up: it basically says “we see your preference, what would you think if we didn't give a crap?”).
There have been some fines related to this sort of thing, and over time some of the dark patterns are getting a little less common, but enforcement thus far has not been sufficient to make the less dark variants the norm.
It's kind of terrible that you can use extensions XOR your own browser on iOS. One of the many things that drove me back to Android after a good three years using an iPhone.
I have an iPhone for testing stuff for work, and the lack of addons for Firefox on iOS would be a dealbreaker for me if I was going to use it as my daily driver.
Could someone build a large list of such cookies or local storage objects, that I can simply import into my browser and it will remember that I already clicked the consent button? It should be a standard feature of adblockers by now, it has gotten completely out of hand. A billion people losing 10 billion seconds of productivity per day, a handful of lifetimes wasted.
> I don’t know why decades later after this law came into play, nobody at Mozilla or Chrome teams thought of pushing that as a web standard, it just seems so obvious to me: if it’s something every website has to build it over and over again, let’s make it a standard. This way the browser itself could handle it, and so much better
They did. There was the do-not-track header. Of course nobody used it. Sites don't want to make it so you can automatically opt out of cookies. The only way they'll use some standard system that allows that is if the law forces them to.
I did vaguely hear that that may happen. Presumably the bureaucrats that wrote that bit of the GDPR (apparently without consulting anyone who knew anything about the web) do use the web and they must have noticed how annoying it is.
> Presumably the bureaucrats that wrote that bit of the GDPR (apparently without consulting anyone who knew anything about the web) do use the web and they must have noticed how annoying it is.
The GDPR mandates that non-functionally-essential tracking (regardless of whether it’s done via cookies or other means) should be strictly opt-in and the consent process shouldn’t annoy or trick the users into opting in. Pre-ticked checkboxes or making the opt-in button more prominent than the decline button aren’t allowed.
The problem is that up until now enforcement has been non-existent. Thankfully this seems to be changing - the Internet Advertising Bureau’s “consent” framework has recently been ruled non-compliant so hopefully there’s going to be some financial pressure (in the form of fines that everyone has been fear-mongering about) to fix this properly.
> the consent process shouldn’t annoy or trick the users into opting in. Pre-ticked checkboxes or making the opt-in button more prominent than the decline button aren’t allowed.
I wish that was true but the GDPR doesn't actually say that as far as I know. There's official advice to that effect, but it's not written in the law. IIRC it just says it must be a "fee choice" which is way more open to interpretation.
I think it's pretty clear that whomever wrote the cookie consent law didn't know the first thing about cookies. Though I'm not completely discounting the possibility that ad companies are deliberately obtuse.
Why law makers decided people should be warned about the websites storing data client-side with users having full control over the content and who it gets shared with, is something I will never quite understand. Though I do recognise that some of the blame lies with most user-agents storing these cookies indefinitely and sharing them without question, by default, to this day.
> Though I'm not completely discounting the possibility that ad companies are deliberately obtuse.
They are definitely being deliberately obtuse. Nothing in the relevant legislation requires anything like the party of dark patterns we see in many sites, in fact many of the consent forms are not conformant with the legislation at all anyway.
Please read my other comment in this thread - the vast majority of cookie consent modals aren’t actually compliant with the GDPR. The problem is that there’s been zero enforcement.
Yep and the feature is just rule based auto-clicking elements after the page loads. So it can skip other annoyances like newsletter or app download prompts too.
>Don’t get me wrong, I admire the spirit of the law, that people should know how they are being tracked, but I don’t know why decades later after this law came into play, nobody at Mozilla or Chrome teams thought of pushing that as a web standard, it just seems so obvious to me
They did. It was called Do-Not-Track. The ad industry barely gave a care about it. Microsoft got the bright idea to make it opt-in, but they aren't iOS, so the ad industry responded by ignoring DNT entirely and that was that.
The reason why GDPR plagues the Internet with maliciously designed and legally non-compliant pop-ups everywhere is because of a small exception for "user consent" as a lawful basis for data collection. I imagine the intent was for things like opting into telemetry and error reporting[0], with the idea that if someone tried to ask for consent for ad tracking it'd be rejected.
The ad industry is vehemently opposed to opt-in consent because of two reasons:
- People don't change defaults, so making tracking opt-out means most people get tracked while making it opt-in means most people don't get tracked.
- Nobody will consciously opt-in to ad tracking, or at least they assume nobody will do so.[1]
Since GDPR more or less forces ad companies and web publishers to actually provide user-visible controls for tracking, they've generally agreed upon circumventing the spirit and letter of the law by blasting people with illegal dark patterns to create a veneer of compliance. This is something the EU will need to enforce (and is doing so).
The rest of this article is great, BTW - not a lot of people actually go through the effort of modifying FOSS on iOS to do what they want, and I think more people should. In fact, you might even be able to get this work upstreamed, assuming Apple doesn't have a problem with bundling anti-tracking tools like this into a third-party browser.
That being said, I really wish most FOSS projects on this platform had build systems friendlier to third-party builds than Xcode projects are. The whole "wipe all the team IDs and change the bundle identifier" dance is annoying, and you always have to remember not to commit those changes in Git. I really wish we could make all that information separate from Xcode so it could be properly gitignored.
[0] I generally draw a line between telemetry and ad tracking. As far as I'm concerned, using my data to improve the product I'm using is legitimate. The only concern I have there is who stores the data. Using my data to make your ad sales more lucrative is not. And I imagine if you forced users to make an educated decision they'd be more OK with the former than the latter.
[1] I have heard of people who consciously prefer relevant advertising. You could pitch it to users on that basis; however, ad tracking goes way beyond interest targeting. A huge segment of the ad industry is remarketing: selling ads to people who have recently visited another website. I've found that nontechnical users find these ads to be incredibly annoying, if not creepy, but just assume there's no way to turn them off because the option to do so is intentionally buried.
It can sync your history and bookmarks with desktop Firefox. I think it's also affected by any ad blockers used by iOS Safari such as AdGuard, so there's very little disadvantage.
> I think it's also affected by any ad blockers used by iOS Safari such as AdGuard, so there's very little disadvantage.
It’s definitely not affected by AdGuard (as a content blocker) it’s only affected by AdGuard as a dns Adblocker, and if you see no difference between content blocker and a dns blocker I envy you and you have a way higher tolerance for web bullshit than I do.
aside from the fact that as others have pointed out there is more to firefox than the engine (though I wish I could have that too) such as firefox sync and a UI that better suits my taste, it also signals interest in using a different browser which hopefully will push apple to allow full 3rd party web browsers at some point.
Readit News
It is always worth pointing out that the complex dark-pattern filled forms that many sites use are there choice and not impressed by the relevant legislation.
They could just make it all opt in/out with a single click, but they know that without the trickery very few users will do opt in to being stalked so instead they try make it as difficult as possible in the hope that you agree to everything either accidentally or just because you are such of it and want the form to go away. I just back away from sites like that and in particularly egregious cases I've blocked them at the network level with a DNS blacklist: the information I'm looking for has always also been available somewhere else less irritating.
What it's missing is a reason for websites to comply, which is what a law could enforce.
There have been some fines related to this sort of thing, and over time some of the dark patterns are getting a little less common, but enforcement thus far has not been sufficient to make the less dark variants the norm.
They did. There was the do-not-track header. Of course nobody used it. Sites don't want to make it so you can automatically opt out of cookies. The only way they'll use some standard system that allows that is if the law forces them to.
I did vaguely hear that that may happen. Presumably the bureaucrats that wrote that bit of the GDPR (apparently without consulting anyone who knew anything about the web) do use the web and they must have noticed how annoying it is.
The GDPR mandates that non-functionally-essential tracking (regardless of whether it’s done via cookies or other means) should be strictly opt-in and the consent process shouldn’t annoy or trick the users into opting in. Pre-ticked checkboxes or making the opt-in button more prominent than the decline button aren’t allowed.
The problem is that up until now enforcement has been non-existent. Thankfully this seems to be changing - the Internet Advertising Bureau’s “consent” framework has recently been ruled non-compliant so hopefully there’s going to be some financial pressure (in the form of fines that everyone has been fear-mongering about) to fix this properly.
I wish that was true but the GDPR doesn't actually say that as far as I know. There's official advice to that effect, but it's not written in the law. IIRC it just says it must be a "fee choice" which is way more open to interpretation.
Why law makers decided people should be warned about the websites storing data client-side with users having full control over the content and who it gets shared with, is something I will never quite understand. Though I do recognise that some of the blame lies with most user-agents storing these cookies indefinitely and sharing them without question, by default, to this day.
They are definitely being deliberately obtuse. Nothing in the relevant legislation requires anything like the party of dark patterns we see in many sites, in fact many of the consent forms are not conformant with the legislation at all anyway.
https://guide.hyperweb.app/remove-annoyances/autoclick/
They did. It was called Do-Not-Track. The ad industry barely gave a care about it. Microsoft got the bright idea to make it opt-in, but they aren't iOS, so the ad industry responded by ignoring DNT entirely and that was that.
The reason why GDPR plagues the Internet with maliciously designed and legally non-compliant pop-ups everywhere is because of a small exception for "user consent" as a lawful basis for data collection. I imagine the intent was for things like opting into telemetry and error reporting[0], with the idea that if someone tried to ask for consent for ad tracking it'd be rejected.
The ad industry is vehemently opposed to opt-in consent because of two reasons:
- People don't change defaults, so making tracking opt-out means most people get tracked while making it opt-in means most people don't get tracked.
- Nobody will consciously opt-in to ad tracking, or at least they assume nobody will do so.[1]
Since GDPR more or less forces ad companies and web publishers to actually provide user-visible controls for tracking, they've generally agreed upon circumventing the spirit and letter of the law by blasting people with illegal dark patterns to create a veneer of compliance. This is something the EU will need to enforce (and is doing so).
The rest of this article is great, BTW - not a lot of people actually go through the effort of modifying FOSS on iOS to do what they want, and I think more people should. In fact, you might even be able to get this work upstreamed, assuming Apple doesn't have a problem with bundling anti-tracking tools like this into a third-party browser.
That being said, I really wish most FOSS projects on this platform had build systems friendlier to third-party builds than Xcode projects are. The whole "wipe all the team IDs and change the bundle identifier" dance is annoying, and you always have to remember not to commit those changes in Git. I really wish we could make all that information separate from Xcode so it could be properly gitignored.
[0] I generally draw a line between telemetry and ad tracking. As far as I'm concerned, using my data to improve the product I'm using is legitimate. The only concern I have there is who stores the data. Using my data to make your ad sales more lucrative is not. And I imagine if you forced users to make an educated decision they'd be more OK with the former than the latter.
[1] I have heard of people who consciously prefer relevant advertising. You could pitch it to users on that basis; however, ad tracking goes way beyond interest targeting. A huge segment of the ad industry is remarketing: selling ads to people who have recently visited another website. I've found that nontechnical users find these ads to be incredibly annoying, if not creepy, but just assume there's no way to turn them off because the option to do so is intentionally buried.
It’s definitely not affected by AdGuard (as a content blocker) it’s only affected by AdGuard as a dns Adblocker, and if you see no difference between content blocker and a dns blocker I envy you and you have a way higher tolerance for web bullshit than I do.
Deleted Comment
Deleted Comment
What does it actually mean to buy something these days?
But I get the impression that for the people of North America tablet/smartphone mean iPad/iPhone.
I have no data, but it is the very strong impression I get
Deleted Comment
Deleted Comment