My spouse will sometimes mention in conversation with others that I invented the cookie. This always puts me on the spot, and I have to enter into a long explanation of the what and the why of cookies least they believe that I some sort of evil software hacker. (Now for a short explanation so that HN readers don’t think that I’m an evil hacker: I invented them, with the help of a colleague, while at IBM where we were designing a distributed file system. This was before the advent of the World Wide Web.)
Many of us remember when cookies were purely a utility-add for end users and were restricted only to the domain which set them. Thanks for inventing that.
Some popular browsers are supposedly "open source" yet it appears no browser user longing for saner times has ever tried reversed this change and recompiling the browser for their own use. No third party cookies by default.
The most fascinating thing IMO about so-called "modern" browsers is that even when their vendors publish source code, "99.9%" of people will not even attempt to make changes, even something as simple as changing a default from "on" to "off". It's like the software is stamped with "Read Only" or "Do Not Touch" and "99.9%" of people dutifully obey. The "0.1%" appear to be very conservative with the changes they make.
For example, if it was possible to disable auto-loading of resources, I might actually use these "modern" graphical browsers for tasks other than commercially-oriented transactions. Cookies are only one problem with these browsers.
I'm sure that many can make the same claim. In the 1980's, I was an operating systems architect working at IBM. I thought up many interesting (to me) innovations while working on the first couple of releases of the AIX on the IBM POWER hardware. It was a great job and I learned a lot doing it. I got to work with some really brilliant developers and computer scientists (a number from IBM Research).
One project I was responsible for was the development of a distributed file system for AIX. The goal was a distributed file system that addressed some of the weaknesses found in other distributed file systems at the time. Our chief competitor was Sun's NFS distributed file system. NFS was a really nice design. It was well integrated into the operating system and quite reliable because it utilized a (mostly) stateless server. This had a number of performance and security implications along with some file system semantics over NFS that didn't match local file system semantics. We wanted to introduce state for the server to address these issues and thought of a number of complex protocols to manage it in the presence of unreliable clients. That's when I thought up the idea of making the clients keep their own state to be restored when they reconnected to the server. I protected this state from manipulation by the client by encrypting it. I didn't call them cookies, I called them tokens.
This design was patented by IBM and I was one of the two inventors on the patent. This patent was owned by IBM and years later they gave a special award for this patent because it decided that it was one of IBM's most important patents. (They wouldn't have done this unless the patent had held up to scrutiny or legal challenges). Unfortunately, by that time I had already left IBM to start my own company--I was at the top of my game and had confidence that I could create a software product of some kind that would be successful--so I missed out on the financial award for the patent. By then, I was at my new company and already in competition with IBM.
By now, the patent should be long expired. Interestingly, IBM ended up buying my company around seven years after I and a partner started it.
I was very aware of the academic literature and industrial practice during this time so I do believe that my invention does reflect original work that ended up with a very significant impact.
From a more personal perspective, the invention didn't financially benefit me. The work that I did at my company own was more creative, inventive, technically impactful, and financially important to me. For example, Austin Ventures has indicated that my company was the start of Austin becoming an important high-tech location, but none of that was related to the cookie.
Interesting, what kind of cookies? Like I say in the article Lou Montulli from Netscape is generally credited with creating the HTTP cookie, which they named cookie based upon magic cookies in unix, though its obviously quite a bit different.
Yeah, I remember in the mid-late 90's when companies would actually disable cookies altogether. Most non-technical people just don't understand the what/how/why cookies work, or were really needed in the browsers.
In the end, it's definitely been used in excessive and somewhat intrusive ways. I also wish that browsers had better controls over second and third party cookies and tracking (similar for nested iframe) in order to bubble some of it closer to the surface. In the end, pihole, ublock origin and privacy badger goes a long way to limiting this.
Great, so when time travel becomes a thing, I'll add you to the list of people to have a chat with about needing to envision longer term visions for how nefarious people can be. I love that at one point in a not so distant galaxy, er time, that there was a thing of innocence. Now, that innocence can no longer be tolerated and every new thing must have more time invested on how the new thing can be abused rather than just used as intended.
Really? I didn't invent it for browsers, I invented it for distributed file systems before the "World Wide Web" had even been invented. You might as well have a talk with William Shockley or Vint Cerf.
You may as well start by having that conversation with the inventor of the time travel device you're using, because - whew boy the nefarious things people are going to do with it!
Better question here is, why is this not handled through the browser instead of relying on individual web apps to do it.
Block third party cookies by default, delete other cookies on the last tab or window closed and prompt user to save cookies on a form submit ("do not delete cookies for this domain when leaving" type of prompt, for pages with logins, settings, etc).
Also remove features that make easy fingerprinting possible, the site doesn't need to know every font I have installed, just have a "standard set" included with the browser, and use web fonts or whatever for other fonts.
We had P3P spec for it 20 years ago, even implemented in IE! And Google has been sending intentionally malformed P3P header to bypass it. Their trillion dollar business relies on users having difficulty stopping tracking.
Firefox lets you set "strict tracking protection". The settings page warns you that "some sites may break". Some sites whine about this, usually using "Admiral" to check for cookie blocking. Most of those aren't worth visiting anyway.
There's also Privacy Badger, from the EFF. This turned up that the "Who wants to be tracked" site is using "plausible.io" to track visitors.
> Also remove features that make easy fingerprinting possible
Is this (reasonably) possible? If you ever do a graphics project you'll find that it is pretty difficult to get a pixel perfect render. Hence canvas fingerprinting[0]. (same happens for text rendering)
The problem can come down to the silicon lottery as well as the browser[1]. If you render the same code on two different machines, with the same compiler and libraries, you won't get pixel perfect difference. And GPUs don't match CPUs, though can if you edit the FMA instructions. Usually the best way to ensure images are exactly the same is to compare between Macs because the hardware is very similar and similarly binned. So Macs tend to have lower fingerprints in general (to the best of my knowledge) Current canvas blockers tend to just return a value, but that can obviously be a fingerprint itself.
So my question is if this is reasonably solved? I don't see it by being just the browser unless they can specifically just block a lot of that tracking. Which may require a big actor like Google or Apple to make a stand.
(Note: not an expert, but have done a decent amount of visualization work)
I think it makes sense to roll your own analytics stack using first party cookies, but OP went a little bit overboard by removing all tracking cookies altogether.
The problem is that pool is getting increasingly poisoned. Websites are increasingly hosting third-party analytics and advertising tracker scripts on their own sites in order to evade people who are trying to avoid them.
This is making it much less acceptable to allow first-party cookies and scripts.
>why is this not handled through the browser instead of relying on individual web apps to do it.
Websites want you to explicitly reject consent for using your data. There are many untrustworthy places on the internet, so trustworthy places want to explicitly ask because they don't want the user to reject consent to them just because they are being lumped with the other sites.
Now if you had a browser setting that gave consent by default and allowed users to deny consent that is something that would reduce the need of sites constantly asking you for consent. But any attempt to automatically reject consent is just going to result in sites asking for consent via another channel. See what happened to the do not track header when you try and lump all sites together.
I've been thinking about the same thing - this feels like it deserves a native API, so we can get rid of all these dark patterns currently being employed.
It’s there. It’s “Do-Not-Track” and it sadly was never respected by the big platforms (and any developers, really). I’ve never seen a single case where setting the DNT header made a difference — which is dumb considering how infested the web is with privacy prompts…
Server owners can track you with the data they collect, client side can have little control of that. I wonder if there’s a better way possible in the current iteration of the web platform, or if a substantial overhaul is necessary for privacy respecting services.
Perhaps DNT would’ve been more effective if it was written in law? To gather user information for marketing purposes, you must respect this header. But then, how’d you enforce that… other problems: if browsers always set DNT to true by default, then the whole effort is pointless, because nobody will opt-in. This is ideal, but marketers will definitely not like that idea.
Thinking out loud here.
1. Your proposal is not enough for EU privacy law, so you'd still see banners. First-party tracking is still tracking and you still need a banner if you're going to store any data on the client that is not "strictly necessary" for the user's request.
2. Your proposal gives a pretty crummy experience in cases where users do expect the site to store data on the client longer. For logins you're popping up a confusing banner, and for client-side only storage (shopping carts, preferences, work in progress) you're silently discarding people's work.
No consent is required to store cookies required for the site to function. Login cookies, shopping carts etc are fine. The only reason websites display these banners is because they want to track you, and they rely upon misunderstandings like you are propagating to whitewash the request.
The last thing a browser wants to do is break experience for older sites. If a site relies on 3rd party cookies for log in, it will no longer work on your browser. It makes your browser look shit. Same reason we allow unclosed tags, crossed tags, etc.
We also had shockwave flash, blink tags, keygen tags for cert generation, etc., so yeah, we can change stuff if we need it. But since the biggest browser is owned by an ad company that earns money by tracking us, this will probably never happen.
An alternative would be to have a cookie jar per domain.
Browsers already detect login forms to offer autocompletion and password storage. Surely it wouldn’t be insurmountable to detect cookies being set after a login flow, and let users confirm that they want this login to persist.
On mobile safari, private tabs isolate cookies from each other. Also, once you are in private mode, all links open in new private tabs. Close the tab, and the cookies are gone.
I never turn private mode off. I wish firefox and chrome also worked this way.
Browsers can (and do in the case of Firefox and other privacy respecting browsers) try to make it harder to track you, but it's not something they can just unilaterally turn on or off.
Consent dialogs are about what sites do with the information they get about you, not just about what information they get.
I might be wrong but I think the EU regulation that forced these cookie acceptance forms―I can't remember if it was GDPR or some earlier directive―specifically required that the consent submission may not be automated so that the browser can be configured to accept everything.
It may have had good intentions as entities such as Microsoft would just set their browsers to default to accept all cookies anyway and a marginal group of people would know how to turn it off and even they couldn't still be sure if a proprietary browser still accepts and sends cookies without just telling the user.
So as usual the good intentions have turned into a cat-and-mouse game in the technical, grassroot realm. There are browser extensions that will just kill these consent dialogs automatically and websites try (luckily, not very hard so far), to work around the kill scripts. Everybody suffers.
Someone should do a talk a la "Birth and Death of Javascript"[0] on the topic of cookies. What started nearly 30 years ago as a crude means of storing state over a stateless protocol spawned an entire industrial ecosystem around systematically tracking and spying on internet users. Take a step back and it's an insane journey.
I have switched one of my sites to cookieless analytics and it is bad for everybody.
I can't even say how many users this site has now. It could be the same user coming back over and over. Or many users. How would I know.
Yes, I could track a ton of stats about every pageview like user agent, screen resolution etc and then try to stitch it back together. Trying to figure out how many different users there are. But this type of "stitching together" would probably also count as PII.
I cannot test new features and see if it makes users happy so they come back more often.
I cannot see if the site has issues on some hardware, software, language. Because I wouldn't see if users affected come back less often.
I can't test if an introduction text at the beginning helps users discover important features. Because I can't make the connection between showing the text early on in the user journey and usage of features later on. Because I can't see a user journey.
This is a site I run for the enjoyment of me and the other users. Probably a few thousand a month. And I can say the site was much easier to develop with a normal cookie approach to tracking. I have gone the cookieless way for about a year now. And I can say with certainty that it would be a better site now if I kept the cookie approach. When the developer flies blind, that's bad for everybody.
I think for a commercial site, where a degradation of 10% in user experience can tank the business, there is no way around cookie tracking to figure out what works for users and what doesn't.
This is another reason, why European internet companies do not stand a snowball's chance in hell to compete with their US competitors.
European companies need to bug all users and beg for cookies. While US companies only need to do that with their European users.
This is similar to law enforcement saying: "You mean we cannot track everything you say and do. How in the world are we supposed to do our jobs safely and efficiently?" Answer is, you basically can't. Not safely and not (as) efficiently. Because the world will turn dystopian and will destroy the very thing we are trying to create/maintain. (Happiness, etc)
It's nice to be able to A/B test your blog or product. It's cool and efficient, but it also hurts and to me that hurt outweighs your company's marginal benefits although it is a nuanced and difficult discussion to be fair. I'm being simplistic here to make the point clear. I hope.
How is simple analytics or A/B testing that's NOT internet-wide tracking (that is, only for the website you're on) or sold (which would be outright illegal without explicit consent) hurting you? Genuine question, because I don't see it. Internet-wide tracking across many sites: sure. But that's a very different thing – it's the difference between "I'm home Darling, I saw Sander at the mall today" vs. "Hello everyone, here is everything Sander did this week".
Yeah so I run/build/maintain a platform in the public survey space and we have a feedback box for users at the end. This box is a really good source for feedback, don't get me wrong, but a lot of the feedback is "When I hit the button, nothing happens" or "Totally broken, completely unusable" both of which are useless to us. These users clearly want us to fix something, but we have no visibility on what that is.
Genuinely asking - what is the easiest method for doing this other than cookie tracking? I’m inclined to agree with the commenter above and it feels like a community of developers would sympathize with this but it seems like everyone is acting like it’s not a big deal.
We do use cookies for part of the analysis, but they're not unique user-tracking cookies. Instead there's one that simply tracks a self-reported datestamp on when the user last visited, which looks something like:
WMF-Last-Access=2023-01-01,Expires=Wed, 01 Feb 2023 12:00:00 GMT
(we send a Set-Cookie for this with the current datestamp only to the 1-day accuracy, which expires ~32 days after it's set (but rounded to 12-hour accuracy), and is replaced constantly).
There's another more-recent one we use that's explicitly about differential privacy, which send back info on the hashes of the 10 most recent URLs you've visited on the site, IIRC. None of them are unique tracker hashes for a given user, though.
>which send back info on the hashes of the 10 most recent URLs you've visited on the site, IIRC. None of them are unique tracker hashes for a given user, though.
That seems highly unlikely to never be unique for some users.
You could ask people! There is hardly a site I use day to day that I couldn't send a ten paragraph rant about poor usability to the company, if that was socially permissible and felt like they'd care. There's hardly a site I use where I think the developers have ever used it themselves, or ever seen someone trying to use it, for that matter.
> "Because I can't see a user journey."
Today's worst offender was trying to follow an invite and register an account within a company account, it took me two goes through the signup form, two attempts to edit my profile, trying to login to three different subdomains, one useless search of their documentation site, three error messages, two rounds of asking my coworker to check their admin side, before I saw the right thing to do. "You" (big silicon valley company) don't need tracking cookies to "see a user journey" or to tell you that "I really love your site because I keep coming back to it and looking around", you need to grab someone in a hallway and push them through the workflow and watch them fall on their face over and over.
> "I think for a commercial site, where a degradation of 10% in user experience can tank the business"
Imagine how amazing websites would be if that were at all true. Have you seen the user experience of Amazon? or eBay? or Facebook? or 'new' GMail or new Reddit or non-websites like Teams or WebEx?
Hang on, it's not bad for me. If I visit your site, it's not because I want to participate in some kind of A/B testing (whose results you'll never tell me about). And if your site only works if I happen to have hardware X installed, you don't need analytics to tell you that your site is broken.
> European companies need to bug all users and beg for cookies.
That's nonsense. If cookies are needed for the correct operation of the site, then there's no need to beg or bug.
So your banner should be saying: "Can I please set tracking cookies that make no difference at all to the correct operation of the site? [Accept] [Reject]". Then count the number that say Accept, note that the number is approximately zero, and then scrap the banner.
> If I visit your site, it's not because I want to participate in some kind of A/B testing
Nobody wants to be part of the A/B testing; everyone wants the polished product that's the result of A/B testing.
> And if your site only works if I happen to have hardware X installed, you don't need analytics to tell you that your site is broken.
What? Yes you do, or something similar.
> If cookies are needed for the correct operation of the site, then there's no need to beg or bug.
Strictly needed. Suppose I have a dark theme slider, or a language selector, for users who don't want me to follow their OS's settings (or can't or don't know how to change their OS's settings). That's a nonessential cookie which requires the banner.
And if you disagree, your opinion is not worth a lawsuit; the only way to be sure that your use of cookies is limited to those strictly necessary is hire a very expensive european consultant.
UIs were developed in the pre-web world without tracking or analytics. If you clearly explain that the cookie is for improving the UI and the user doesn't want it, it's because they don't care about it as much as you do.
Not really cookie-less and it can be considered a regression compared to cookies because of JS, but something that can work is doing stats + anonymization client-side.
You can store information client-side, without sending them over network, but randomly send digests back to your server.
For instance you can store a counter of the times the user went to visit the website, and randomly with a 1% probability send that counter to your server. (It's better to make it random, because if you send every +=1 you would end up being able to track users).
At my work, I do a lot of statistics of user usage, but I always work to do my best not to leak PII. I'm not a security or privacy researcher, so my work is probably not great but still, the way I do it I believe is largely private:
- No unique ID sent, but a daily digest (some people send every single event to their statistics server, and thus need a unique ID to know how many time one person did one action. With a digest that already counts the actions there is no need)
- bucketized persistent data: for example the available storage size of the device the app is running on. Sending precise value would make it easier to track digests from one day to the other and track users
- For booleans, add some white noise (because 20 booleans is enough to identify someone)
- For open-ended information (for instance the list of countries contacted by your SMS app), booleanize it (one boolean per country, cf previous line), and maybe keep a counter to know how many you didn't take into account to know whether you're still missing a lot.
Yes overall doing it with no PII requires much more work, but then Big Tech (and smaller techs like Clearview) clearly showed that any PII can and WILL be used against their users. The best way to never leak user's data remains to never have them in the first place.
IP address + User-Agent gives you enough data to track "user journeys" whatever this is. I'm curious, what is your favorite example of improving your website based on cookies that you couldn't do with basic IP+UA tracking?
How about tracking the users pulse while he reads your website via his smartwatch. Wouldn't that give you even more insights into the emotional journey?
My point is: You have to draw the line somewhere (and I think the GDPR line is very reasonable). If you are a business relying on having a perfect website, you can use other means like UX labs.
> I can't even say how many users this site has now.
> I cannot test new features and see if it makes users happy so they come back more often.
> I cannot see if the site has issues on some hardware, software, language. Because I wouldn't see if users affected come back less often.
> I can't test if an introduction text at the beginning helps users discover important features. Because I can't make the connection between showing the text early on in the user journey and usage of features later on. Because I can't see a user journey.
Why don't you just ask your users about these things ?
But it's not a question of PII, it's about processing for legitimate interests[0]. If you follow the guidelines then collecting and processing specific anonamised stories is not a problem, cookies or not.
'acquiescence bias' is real but a different thing. Mischievous responders will flip their answer as necessary to screw with you, they don't just 'go down the line', so you can't simply reverse-code or use other such tricks.
Because no one wants to give up the data, and the revenue that comes with it. They just annoy the hell out of the users until they cave in and just accept it. Since it’s a law and every website has to do it, there is no competition to think of. It’s a no brainer
"We value your privacy" is usually a true statement about the monetary value a company places on exploiting your privacy, masquerading as a moral value statement.
Readit News
Some popular browsers are supposedly "open source" yet it appears no browser user longing for saner times has ever tried reversed this change and recompiling the browser for their own use. No third party cookies by default.
The most fascinating thing IMO about so-called "modern" browsers is that even when their vendors publish source code, "99.9%" of people will not even attempt to make changes, even something as simple as changing a default from "on" to "off". It's like the software is stamped with "Read Only" or "Do Not Touch" and "99.9%" of people dutifully obey. The "0.1%" appear to be very conservative with the changes they make.
For example, if it was possible to disable auto-loading of resources, I might actually use these "modern" graphical browsers for tasks other than commercially-oriented transactions. Cookies are only one problem with these browsers.
One project I was responsible for was the development of a distributed file system for AIX. The goal was a distributed file system that addressed some of the weaknesses found in other distributed file systems at the time. Our chief competitor was Sun's NFS distributed file system. NFS was a really nice design. It was well integrated into the operating system and quite reliable because it utilized a (mostly) stateless server. This had a number of performance and security implications along with some file system semantics over NFS that didn't match local file system semantics. We wanted to introduce state for the server to address these issues and thought of a number of complex protocols to manage it in the presence of unreliable clients. That's when I thought up the idea of making the clients keep their own state to be restored when they reconnected to the server. I protected this state from manipulation by the client by encrypting it. I didn't call them cookies, I called them tokens.
This design was patented by IBM and I was one of the two inventors on the patent. This patent was owned by IBM and years later they gave a special award for this patent because it decided that it was one of IBM's most important patents. (They wouldn't have done this unless the patent had held up to scrutiny or legal challenges). Unfortunately, by that time I had already left IBM to start my own company--I was at the top of my game and had confidence that I could create a software product of some kind that would be successful--so I missed out on the financial award for the patent. By then, I was at my new company and already in competition with IBM.
By now, the patent should be long expired. Interestingly, IBM ended up buying my company around seven years after I and a partner started it.
I was very aware of the academic literature and industrial practice during this time so I do believe that my invention does reflect original work that ended up with a very significant impact.
From a more personal perspective, the invention didn't financially benefit me. The work that I did at my company own was more creative, inventive, technically impactful, and financially important to me. For example, Austin Ventures has indicated that my company was the start of Austin becoming an important high-tech location, but none of that was related to the cookie.
In the end, it's definitely been used in excessive and somewhat intrusive ways. I also wish that browsers had better controls over second and third party cookies and tracking (similar for nested iframe) in order to bubble some of it closer to the surface. In the end, pihole, ublock origin and privacy badger goes a long way to limiting this.
Block third party cookies by default, delete other cookies on the last tab or window closed and prompt user to save cookies on a form submit ("do not delete cookies for this domain when leaving" type of prompt, for pages with logins, settings, etc).
Also remove features that make easy fingerprinting possible, the site doesn't need to know every font I have installed, just have a "standard set" included with the browser, and use web fonts or whatever for other fonts.
(for amusement, google P3P and see what comes up first.)
There's also Privacy Badger, from the EFF. This turned up that the "Who wants to be tracked" site is using "plausible.io" to track visitors.
Is this (reasonably) possible? If you ever do a graphics project you'll find that it is pretty difficult to get a pixel perfect render. Hence canvas fingerprinting[0]. (same happens for text rendering)
The problem can come down to the silicon lottery as well as the browser[1]. If you render the same code on two different machines, with the same compiler and libraries, you won't get pixel perfect difference. And GPUs don't match CPUs, though can if you edit the FMA instructions. Usually the best way to ensure images are exactly the same is to compare between Macs because the hardware is very similar and similarly binned. So Macs tend to have lower fingerprints in general (to the best of my knowledge) Current canvas blockers tend to just return a value, but that can obviously be a fingerprint itself.
So my question is if this is reasonably solved? I don't see it by being just the browser unless they can specifically just block a lot of that tracking. Which may require a big actor like Google or Apple to make a stand.
(Note: not an expert, but have done a decent amount of visualization work)
[0] https://privacycheck.sec.lrz.de/active/fp_c/fp_canvas.html
[1] https://stackoverflow.com/questions/47696956/display-pixel-p...
This is making it much less acceptable to allow first-party cookies and scripts.
Websites want you to explicitly reject consent for using your data. There are many untrustworthy places on the internet, so trustworthy places want to explicitly ask because they don't want the user to reject consent to them just because they are being lumped with the other sites.
Now if you had a browser setting that gave consent by default and allowed users to deny consent that is something that would reduce the need of sites constantly asking you for consent. But any attempt to automatically reject consent is just going to result in sites asking for consent via another channel. See what happened to the do not track header when you try and lump all sites together.
Did you forgot what happened the last time 'the browser was handling it'? I would remind you: Internet Explorer, Do Not Track.
Server owners can track you with the data they collect, client side can have little control of that. I wonder if there’s a better way possible in the current iteration of the web platform, or if a substantial overhaul is necessary for privacy respecting services.
Perhaps DNT would’ve been more effective if it was written in law? To gather user information for marketing purposes, you must respect this header. But then, how’d you enforce that… other problems: if browsers always set DNT to true by default, then the whole effort is pointless, because nobody will opt-in. This is ideal, but marketers will definitely not like that idea. Thinking out loud here.
EDIT: found an interesting HN thread from 2017 https://news.ycombinator.com/item?id=14377877
2. Your proposal gives a pretty crummy experience in cases where users do expect the site to store data on the client longer. For logins you're popping up a confusing banner, and for client-side only storage (shopping carts, preferences, work in progress) you're silently discarding people's work.
An alternative would be to have a cookie jar per domain.
I never turn private mode off. I wish firefox and chrome also worked this way.
Browsers can (and do in the case of Firefox and other privacy respecting browsers) try to make it harder to track you, but it's not something they can just unilaterally turn on or off.
Consent dialogs are about what sites do with the information they get about you, not just about what information they get.
We had Do-Not-Track header once. Id did not play out very well.
It may have had good intentions as entities such as Microsoft would just set their browsers to default to accept all cookies anyway and a marginal group of people would know how to turn it off and even they couldn't still be sure if a proprietary browser still accepts and sends cookies without just telling the user.
So as usual the good intentions have turned into a cat-and-mouse game in the technical, grassroot realm. There are browser extensions that will just kill these consent dialogs automatically and websites try (luckily, not very hard so far), to work around the kill scripts. Everybody suffers.
No such regulation has ever existed in the EU.
Yep, i'm just not sure if it was general incompetence or just plain lobbying by third parties to do so.
0 https://www.destroyallsoftware.com/talks/the-birth-and-death...
I can't even say how many users this site has now. It could be the same user coming back over and over. Or many users. How would I know.
Yes, I could track a ton of stats about every pageview like user agent, screen resolution etc and then try to stitch it back together. Trying to figure out how many different users there are. But this type of "stitching together" would probably also count as PII.
I cannot test new features and see if it makes users happy so they come back more often.
I cannot see if the site has issues on some hardware, software, language. Because I wouldn't see if users affected come back less often.
I can't test if an introduction text at the beginning helps users discover important features. Because I can't make the connection between showing the text early on in the user journey and usage of features later on. Because I can't see a user journey.
This is a site I run for the enjoyment of me and the other users. Probably a few thousand a month. And I can say the site was much easier to develop with a normal cookie approach to tracking. I have gone the cookieless way for about a year now. And I can say with certainty that it would be a better site now if I kept the cookie approach. When the developer flies blind, that's bad for everybody.
I think for a commercial site, where a degradation of 10% in user experience can tank the business, there is no way around cookie tracking to figure out what works for users and what doesn't.
This is another reason, why European internet companies do not stand a snowball's chance in hell to compete with their US competitors.
European companies need to bug all users and beg for cookies. While US companies only need to do that with their European users.
It's nice to be able to A/B test your blog or product. It's cool and efficient, but it also hurts and to me that hurt outweighs your company's marginal benefits although it is a nuanced and difficult discussion to be fair. I'm being simplistic here to make the point clear. I hope.
How is simple analytics or A/B testing that's NOT internet-wide tracking (that is, only for the website you're on) or sold (which would be outright illegal without explicit consent) hurting you? Genuine question, because I don't see it. Internet-wide tracking across many sites: sure. But that's a very different thing – it's the difference between "I'm home Darling, I saw Sander at the mall today" vs. "Hello everyone, here is everything Sander did this week".
You can set your browser to not store cookies at all.
Or to discard cookies when you close it.
Or you can delete cookies whenever you feel like.
You can talk to your users in person and ask them, or poll them via email. Do usability tests etc. I guess it just costs more.
Other industries have to do this, they can't just default-spy on their customers.
Marketing survey emails are infinitely more annoying than cookies.
doesn't scale.
> poll them via email
doesn't work.
> default-spy on their customers
analytics is not spying.
Every company claims that they are doing this stuff to make things better for users, and it never is.
You mean back when your average website was hot garbage? The yearning for the days of static HTML pages is childish atavism
We do use cookies for part of the analysis, but they're not unique user-tracking cookies. Instead there's one that simply tracks a self-reported datestamp on when the user last visited, which looks something like:
WMF-Last-Access=2023-01-01,Expires=Wed, 01 Feb 2023 12:00:00 GMT
(we send a Set-Cookie for this with the current datestamp only to the 1-day accuracy, which expires ~32 days after it's set (but rounded to 12-hour accuracy), and is replaced constantly).
There's another more-recent one we use that's explicitly about differential privacy, which send back info on the hashes of the 10 most recent URLs you've visited on the site, IIRC. None of them are unique tracker hashes for a given user, though.
That seems highly unlikely to never be unique for some users.
> "Because I can't see a user journey."
Today's worst offender was trying to follow an invite and register an account within a company account, it took me two goes through the signup form, two attempts to edit my profile, trying to login to three different subdomains, one useless search of their documentation site, three error messages, two rounds of asking my coworker to check their admin side, before I saw the right thing to do. "You" (big silicon valley company) don't need tracking cookies to "see a user journey" or to tell you that "I really love your site because I keep coming back to it and looking around", you need to grab someone in a hallway and push them through the workflow and watch them fall on their face over and over.
> "I think for a commercial site, where a degradation of 10% in user experience can tank the business"
Imagine how amazing websites would be if that were at all true. Have you seen the user experience of Amazon? or eBay? or Facebook? or 'new' GMail or new Reddit or non-websites like Teams or WebEx?
Hang on, it's not bad for me. If I visit your site, it's not because I want to participate in some kind of A/B testing (whose results you'll never tell me about). And if your site only works if I happen to have hardware X installed, you don't need analytics to tell you that your site is broken.
> European companies need to bug all users and beg for cookies.
That's nonsense. If cookies are needed for the correct operation of the site, then there's no need to beg or bug.
So your banner should be saying: "Can I please set tracking cookies that make no difference at all to the correct operation of the site? [Accept] [Reject]". Then count the number that say Accept, note that the number is approximately zero, and then scrap the banner.
Nobody wants to be part of the A/B testing; everyone wants the polished product that's the result of A/B testing.
> And if your site only works if I happen to have hardware X installed, you don't need analytics to tell you that your site is broken.
What? Yes you do, or something similar.
> If cookies are needed for the correct operation of the site, then there's no need to beg or bug.
Strictly needed. Suppose I have a dark theme slider, or a language selector, for users who don't want me to follow their OS's settings (or can't or don't know how to change their OS's settings). That's a nonessential cookie which requires the banner.
And if you disagree, your opinion is not worth a lawsuit; the only way to be sure that your use of cookies is limited to those strictly necessary is hire a very expensive european consultant.
If you didn't pay, I'm not sure why you feel entitled to anything.
Why don't you just hash the IP-address and count unique users that way?
How would that work? I can't think of any approach where getting the original IP back from the hash isn't trivial.
You can store information client-side, without sending them over network, but randomly send digests back to your server.
For instance you can store a counter of the times the user went to visit the website, and randomly with a 1% probability send that counter to your server. (It's better to make it random, because if you send every +=1 you would end up being able to track users).
At my work, I do a lot of statistics of user usage, but I always work to do my best not to leak PII. I'm not a security or privacy researcher, so my work is probably not great but still, the way I do it I believe is largely private:
- No unique ID sent, but a daily digest (some people send every single event to their statistics server, and thus need a unique ID to know how many time one person did one action. With a digest that already counts the actions there is no need)
- bucketized persistent data: for example the available storage size of the device the app is running on. Sending precise value would make it easier to track digests from one day to the other and track users
- For booleans, add some white noise (because 20 booleans is enough to identify someone)
- For open-ended information (for instance the list of countries contacted by your SMS app), booleanize it (one boolean per country, cf previous line), and maybe keep a counter to know how many you didn't take into account to know whether you're still missing a lot.
Yes overall doing it with no PII requires much more work, but then Big Tech (and smaller techs like Clearview) clearly showed that any PII can and WILL be used against their users. The best way to never leak user's data remains to never have them in the first place.
My point is: You have to draw the line somewhere (and I think the GDPR line is very reasonable). If you are a business relying on having a perfect website, you can use other means like UX labs.
Users coming back more often does not imply that they are happy. There’s no substitute for actual user studies.
> I cannot test new features and see if it makes users happy so they come back more often.
> I cannot see if the site has issues on some hardware, software, language. Because I wouldn't see if users affected come back less often.
> I can't test if an introduction text at the beginning helps users discover important features. Because I can't make the connection between showing the text early on in the user journey and usage of features later on. Because I can't see a user journey.
Why don't you just ask your users about these things ?
[0]: https://ico.org.uk/for-organisations/guide-to-data-protectio...
Cookies are just a Dumb Implementation and only persist due to advertising.
https://gwern.net/note/lizardman
My guess is about the same 94% / 6%. But I'm not sure it's the 6% that represents lizardman.