> The GPC signal will be intended to communicate a Do Not Sell
So, there is no tracking opt-out like DNT had.
Do Not Sell is classic regulatory capture: It allows incumbent players to continue their current bad behavior, and directs revenue streams from smaller players (data brokers) to existing monopolies.
Also, this opt out won’t interfere with Mozilla’s recently acquired ad business, which uses user data to sell ad real estate (invading their privacy with obtrusive ads).
(Sorry for the awkward sentence, but they claim it is a privacy preserving technology that doesn’t gather or sell user data, and there’s no way to be doublespeak compliant without using tortured grammar.)
"Tracking" is pretty vague and trying to stop it is just unenforceable, unlike "selling personal information" which is very clear and what GPC and the CCPA and GDPR cover. I often criticize Mozilla but they're correct in replacing unenforceable DNT (which is also worse fingerprinting-wise since it has three possible values instead of being a binary on-off signal) with GPC. It's long overdue.
Instead of using that, this new proposal seems to be exactly the same thing, just with more work for website hosters (having to add nonsensical files to /well_known/) and claims that this time, the regulatory backing will be good enough. Bullshit. They could have just tried to enforce the DNT header now, with the new regulations and the old case law. Instead they ripped it out of Firefox.
DNT failed because advertising and online stalking companies refused to abide by it when browsers enabled it by default. The GPC spec tries to work around this by having the spec disable the feature by default.
This new spec is necessary because American legislation requires opt-out signals not to be the browser default. That means DNT, as browsers used it, is not legally an opt-out signal, because browsers default to it.
What this is doing is throwing out the header that had legal backing in Europe for a slightly worse copy that hopefully has legal backing in America in the future.
It's a silly specification, but if it gets companies to actually respect this iteration of the DNT spec then I'll accept it.
There are dozens of ways how browser devs could make it default, without making it default - by way of malicious compliance. Example: The first time the browser is opened, display a big fat page asking "DO YOU WANT TO BE TRACKED & SURVEILLED ON THE INTERNET??? NO (highlight in nice colour) / YES (add dark pattern here) / learn more (in tiny font)". Pretty sure most people would click "NO". Every couple of weeks it could pop up again with a similarly phrased question "ARE YOU SURE YOU STILL DON'T WANT TO BE TRACKED?" but this time with a nice UI element where the user can specify that the answer to this rhetorical question will stay the same for the next n days/months/years/decades/centuries/millenia.
Allowing assholes to continue being assholes is the crux of the problem. Companies ignoring DNT on as a default should have been met with massive punitive fines and liability. Instead, we're not doing anything to curtail the behavior.
Wasn't this just microsoft back in the day that enabled it by default, and they were already a small player at that point (Chrome was the leader and even Firefox had more market-share back then iirc).
In other words: "browsers" didn't make it the default, one small browser did.
And so if _any_ browser, whatever tiny percentage they might have of the market, will make this new proposal the default, advertisers can again say "see? totally unreasonable, we won't follow that".
But it being made default by Microsoft was never the problem, ad-companies just didn't care.
I was pleasantly surprised to learn that my state passed a law requiring businesses that serve 50k or more residents here respect this setting and opt me out of tracking by default.
Do I understand correctly that this means that browser will have to do yet another useless request to domains or website to know the GPC status in addition with the request required to retrieve the ressources ? In addition with OPTION requests that already have to be done?
I work as a Data Protection Officer, which is a legal role under GDPR, and am rather unimpressed by GPC. I could whine for a day, but among the most problematic issues: It's not clear if "Sec-GPC: 0" should be interpreted as:
1. "no" to collect personal data under GDPR consent; or
2. "objection" to collect personal data under GDPR legitimate interest or;
3. "no" to retrieving and storing data on a user device (e.g. cookies, localStorage); or
4. A linear combination of the above.
Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button. No need for browser vendors to propose standard which at least one browser vendor can't be bothered to implement.
"Sec-GPC: 0" is invalid. The value can only be 1, and that explicitly cannot be changed in the future according to the spec.
This makes GPC a flag that means "unknown" or "opt-out". There is no "please share my data with your newsletter company" value, there can only be "do whatever the default is for sharing my data with any company you partner with".
> Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button.
Personally I’m tired of cookie pop-ups on websites, a reject all button does nothing to solve the actual problem. If a users browser can somehow communicate the preference so we don’t need to click on pointless stuff then wouldn’t that be optimal?
> The main problem with DNT was the lack of legal and regulatory backing it received. Website owners could decide if they'd observe the DNT signal and there were no legal repercussions if they chose not to. This is where GPC is different.
This sounds like an attempt to regulate the entire internet.
Ideally it would be an attempt to regulate more than that. If I've set a flag that indicates a preference about the use of my personal information that I have some legal right to demand, I want it enforced. You don't get to ignore my request because internet.
It's just an extension of copyright, which already regulates the entire internet. You should have the copyright over your mouse clicks, plus 100 years after the death of the author.
... the internet? I get the impression you're trying to ask something that you haven't articulated. I don't know why it'd be assumed that this approach will stop at websites.
Maybe I can use the GPC header as a way to let advertisers track and target me with exciting offers. Perhaps they can create a "fingerprint" from the three headers I send: Host+Connection+GPC, as I request web pages with netcat or tcpclient through a localhost-bound TLS forward proxy. I use these clients on a daily basis for making HTTP requests. I read HTML with a text-only browser. I do not use DNS when requesting www pages. The needed IP addresses are stored in the proxy's memory. For some reason I never see any ads.
Unfortunately, the sec-gpc header does not seem to be working as I have not received any advertisements after I started using it. Perhaps I have to manually request the ads and send the telemetry since I am not using browser that auto-loads resources or runs Javascript. Maybe I need to put the IP addresses for the tracking and ad servers into the proxy's memory.
Meanwhile, I am missing out on whatever products, services and campaign drivel the advertisers might show to people who use netcat/tcpclient and send only three HTTP headers. No doubt all the online merchants using text-only e-commerce platforms must target some amazing offers to all the online shoppers using netcat/tcpclient.^1 Someday maybe I too can receive them.
1. IIRC, funnily enough, there is a commandline "e-commerce solution", i.e., online store, that has been shared on HN before, perhaps as joke.
I'm an absolite outsider to this, I use edge and would use chrome if need be.
It seems to me like mozilla appeals to paranoid users who don't pay for software and also don't want to see ads, and in exchange insane demands and revolt is placed upon them.
One thing you learn when providing services is that the demands don't ever stop. The more you provide for free, the more demands you get.
Would not want to be in this space, let's normalize paying for software, then you wouldn't need to worry about alternative monetization schemes.
Tracking is not synonymous with ads. Advertising was big business back when you had to just put a jingle on the airwaves or paint a billboard and trust that the right demographic would happen on it. It is plenty possible display ads and make money from them without invasive tracking, for example duck-duck-go does so. On the other hand if you do not fight tracking, paying for the service is no defense, they will just double-rip every time, triple dip if they think they can slot ads in.
Readit News
So, there is no tracking opt-out like DNT had.
Do Not Sell is classic regulatory capture: It allows incumbent players to continue their current bad behavior, and directs revenue streams from smaller players (data brokers) to existing monopolies.
Also, this opt out won’t interfere with Mozilla’s recently acquired ad business, which uses user data to sell ad real estate (invading their privacy with obtrusive ads).
(Sorry for the awkward sentence, but they claim it is a privacy preserving technology that doesn’t gather or sell user data, and there’s no way to be doublespeak compliant without using tortured grammar.)
Instead of using that, this new proposal seems to be exactly the same thing, just with more work for website hosters (having to add nonsensical files to /well_known/) and claims that this time, the regulatory backing will be good enough. Bullshit. They could have just tried to enforce the DNT header now, with the new regulations and the old case law. Instead they ripped it out of Firefox.
This new spec is necessary because American legislation requires opt-out signals not to be the browser default. That means DNT, as browsers used it, is not legally an opt-out signal, because browsers default to it.
What this is doing is throwing out the header that had legal backing in Europe for a slightly worse copy that hopefully has legal backing in America in the future.
It's a silly specification, but if it gets companies to actually respect this iteration of the DNT spec then I'll accept it.
As for DNT, Firefox may have removed it but addons can still set it. As useless as that may be, because the spec is marked as outright deprecated (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...), you can still send the signal.
In other words: "browsers" didn't make it the default, one small browser did.
And so if _any_ browser, whatever tiny percentage they might have of the market, will make this new proposal the default, advertisers can again say "see? totally unreasonable, we won't follow that".
But it being made default by Microsoft was never the problem, ad-companies just didn't care.
Can you site the legislation stating that?
Deleted Comment
Deleted Comment
Also, the GPC request will probably only be sent when you enable GPC, which basically means "almost nobody".
1. "no" to collect personal data under GDPR consent; or 2. "objection" to collect personal data under GDPR legitimate interest or; 3. "no" to retrieving and storing data on a user device (e.g. cookies, localStorage); or 4. A linear combination of the above.
Personally, I think we should simply fine the heck out of all websites until they all feature a "Reject all" button. No need for browser vendors to propose standard which at least one browser vendor can't be bothered to implement.
This makes GPC a flag that means "unknown" or "opt-out". There is no "please share my data with your newsletter company" value, there can only be "do whatever the default is for sharing my data with any company you partner with".
Personally I’m tired of cookie pop-ups on websites, a reject all button does nothing to solve the actual problem. If a users browser can somehow communicate the preference so we don’t need to click on pointless stuff then wouldn’t that be optimal?
This sounds like an attempt to regulate the entire internet.
But given the EU's track record I give this a 0.1% chance of success.
Unfortunately, the sec-gpc header does not seem to be working as I have not received any advertisements after I started using it. Perhaps I have to manually request the ads and send the telemetry since I am not using browser that auto-loads resources or runs Javascript. Maybe I need to put the IP addresses for the tracking and ad servers into the proxy's memory.
Meanwhile, I am missing out on whatever products, services and campaign drivel the advertisers might show to people who use netcat/tcpclient and send only three HTTP headers. No doubt all the online merchants using text-only e-commerce platforms must target some amazing offers to all the online shoppers using netcat/tcpclient.^1 Someday maybe I too can receive them.
1. IIRC, funnily enough, there is a commandline "e-commerce solution", i.e., online store, that has been shared on HN before, perhaps as joke.
It seems to me like mozilla appeals to paranoid users who don't pay for software and also don't want to see ads, and in exchange insane demands and revolt is placed upon them.
One thing you learn when providing services is that the demands don't ever stop. The more you provide for free, the more demands you get.
Would not want to be in this space, let's normalize paying for software, then you wouldn't need to worry about alternative monetization schemes.