This whole thing is ridiculous. While adding these widgets to blocking filters seems like a workable short-term solution, the entire cookie notice scheme is unworkable in the long run. The problem is, this crap will stack up in the future, and none of it will ever get abolished. On some sites, I get a triple-stacked legalese warning banner, and I have to manually close all three of them.
Since internet law will only get worse, maybe it's time for a "real" technical solution to this. For example, if we had a standardized HTML element attribute to mark these widgets, browser/adblock makers could enable people to opt out of displaying them. It might look something like this:
Frankly, the requirement of notice could (and should) be pushed on to user agents – not sites. For one, it would help standardize both the user experience of notices – and leave the UX of website specific notices alone – but also it would improve the current state of things where many (most?) sites in the EU simply don't care or know about the legislation.
The last thing we need is more cruft sent across the wire.
The "real" technical solution here is to standardize a modern authentication system separate from cookies and have things like "do not track" actually work. The industry has, seemingly deliberately, failed to do that. So the EU has rightfully argued from "first principle" that privacy and data protection is more important than the status quo in the industry.
Why block them? It's good that websites have to be more transparent with how they are tracking users.
It is however inconvenient for the websites. They could always stop using privacy-invading ad networks and external services which track users and then they wouldn't have to show any message.
These laws are still evolving and changing. Different for every country. We don't have something international we can build standards upon at this point in time.
It seems to me there would also be an active push against any such implementation because it would make current solutions for getting around this type of cruft more effective than it already is.
Although if we were going to go this route I'd like to see it be a server-side rather than included in the markup. The browser could detect that you are visiting a new domain and request relevant information upon connection.
This stupid cookie notification law was actually the main reason why I had to enable cookies permanently. My browser used to delete all cookies at the end of the session (when I closed the browser) except for a few whitelisted domains.
Then these notices popped up everywhere. So where do the sites store the information that you've already seen the notifications? In the cookies of course! So if you're actually serious about your privacy and delete cookies you will the the notices every time...
The reason that the EU cookie law broke down is that directly after the EU directive was issued, several lawyers from large companies changed their interpretation of an older 1995 directive that dictate how consent is given. The directive says that consent require "specific and informed indication", but lawyers from very large companies decided that the act of continuing using a website was the same thing as giving "specific and informed indication", thus users agreed to whatever policy or agreement that is linked in the banner.
I visited a conference during that time which had a panel where those lawyers was discussing this and even brought up a question if a person really could agree to 20 pagers of policy document from the mere fact of just continuing using the website, and their collective answer was yes (through one agreed that 30 pages would be too much). To my knowledge no legal case has ever tested this, and thus we got this ridiculous cookie notice system where things has gone from bad to worse after the 2002 directive.
If anyone can spare 5-10 minutes a week to help me and a couple of others maintain this list (testing and merging pull requests, closing issues, etc.), I'd be very appreciative!
You can contact me here or send an email to cookies[at]prebake[dot]eu
If an extension like Prebake (which I realize just a filter list) added a 'DNT: 0' HTTP header (Do Track instead of Do Not Track), then automatically dismissing cookie notices would be a "legitimate" new solution and not be "cheating" (as some might call it). If the user also runs a ad or tracker blocker, well, that's their business and a different problem. ;)
I think they hoped this law would encourage sites that people don't expect to have cookies to not set cookies until necessary.
Like state sponsored news sites for example. I mean, really: why on earth does a site like that need to set cookies? To remember which videos I have watched?
The real problem here is probably Google Analytics.
The law does not require sites to put up giant banners for every page load. As belorn points out, this was caused by the interpretation of nervous lawyers and hasn't ever been tested in court.
Tried this before and it helps only so much. Many sites actually don't work before you accept cookies (they pose it as a requirement and tell you that cookies keep you logged in, even though the cookie law is only applicable to tracking cookies) so you need to see the banner before you can see the page. Examples: fok.nl and tweakers.net.
I've been using a different filter list[1] for more than a year, and it's really useful as I already use self-destructing-cookies[2] to exercise control over which cookies my browser will remember, meaning that pretty much all sites think I've never visited before and therefore try to annoy me with their cookie banner.
It seems uBlock (Safari 9) doesn't recognise this when i add it to the 3th party filters/custom URLs - when i click "parse" i don't get to see a new row with a checkbox. example:
Cookies are integral to the operation of every modern website. They offer security in the form of features like csrf protection or maintaining login state between visits. There is sufficient protection for cookies in the form of encryption and a laundry list of further details which have been added over the years.
There are far larger security related concerns on the web. The cookie warnings are on par with if you had to agree with Javascript running on any page you visit in the EU. So, yes, I want to auto-accept.
As a developer I feel like I'm not going to make special considerations that ensure you can use forms on my website without cookies enabled. And I'm not going to find another way to detect and re-instate your login state.
From my experience, most of the sites that have this warning only have a single button: accept. No way to disallow the cookies that get stored regardless of how you react to that popup. This will just save me a click.
It warns users who don't accept cookies that the website uses cookies, at every connexion. It doesn't warn users who accept them that they're used, putting aside the first connexion.
It should be the other way around. The website should warn the user that a cookie is used when the website just accepted a cookie from the browser. The privacy concern happen at this very moment, when you phone back to the website, not when the website phones you information.
[+] [-] Udo|10 years ago|reply
Since internet law will only get worse, maybe it's time for a "real" technical solution to this. For example, if we had a standardized HTML element attribute to mark these widgets, browser/adblock makers could enable people to opt out of displaying them. It might look something like this:
And ideally, there would be a JavaScript API to query this as well, maybe piggy-backed on the Permissions API:[+] [-] mstade|10 years ago|reply
The last thing we need is more cruft sent across the wire.
[+] [-] gozo|10 years ago|reply
[+] [-] blub|10 years ago|reply
It is however inconvenient for the websites. They could always stop using privacy-invading ad networks and external services which track users and then they wouldn't have to show any message.
[+] [-] Kequc|10 years ago|reply
It seems to me there would also be an active push against any such implementation because it would make current solutions for getting around this type of cruft more effective than it already is.
Although if we were going to go this route I'd like to see it be a server-side rather than included in the markup. The browser could detect that you are visiting a new domain and request relevant information upon connection.
[+] [-] mtgx|10 years ago|reply
https://boingboing.net/2012/06/13/error-code-451-an-http-err...
[+] [-] facepalm|10 years ago|reply
[+] [-] skrause|10 years ago|reply
Then these notices popped up everywhere. So where do the sites store the information that you've already seen the notifications? In the cookies of course! So if you're actually serious about your privacy and delete cookies you will the the notices every time...
[+] [-] belorn|10 years ago|reply
I visited a conference during that time which had a panel where those lawyers was discussing this and even brought up a question if a person really could agree to 20 pagers of policy document from the mere fact of just continuing using the website, and their collective answer was yes (through one agreed that 30 pages would be too much). To my knowledge no legal case has ever tested this, and thus we got this ridiculous cookie notice system where things has gone from bad to worse after the 2002 directive.
[+] [-] facepalm|10 years ago|reply
[+] [-] liam_ja|10 years ago|reply
If anyone can spare 5-10 minutes a week to help me and a couple of others maintain this list (testing and merging pull requests, closing issues, etc.), I'd be very appreciative!
You can contact me here or send an email to cookies[at]prebake[dot]eu
[+] [-] cpeterso|10 years ago|reply
[+] [-] unknown|10 years ago|reply
[deleted]
[+] [-] kwhitefoot|10 years ago|reply
[+] [-] vruiz|10 years ago|reply
[+] [-] oliao|10 years ago|reply
The real problem here is probably Google Analytics.
[+] [-] cornewut|10 years ago|reply
Problem is the abuse of technology to track users.
[+] [-] sp332|10 years ago|reply
[+] [-] lucb1e|10 years ago|reply
[+] [-] andrewaylett|10 years ago|reply
[1]: https://github.com/r4vi/block-the-eu-cookie-shit-list
[2]: https://addons.mozilla.org/en-GB/firefox/addon/self-destruct...
[+] [-] DavideNL|10 years ago|reply
True, but also not True (unfortunately), because the websites can identify you anyway by your fingerprint: https://panopticlick.eff.org
[+] [-] roel_v|10 years ago|reply
[+] [-] DavideNL|10 years ago|reply
this works: https://raw.githubusercontent.com/r4vi/block-the-eu-cookie-s...
this doesn't work: https://raw.githubusercontent.com/liamja/Prebake/master/obtr...
[+] [-] tdkl|10 years ago|reply
[+] [-] prodmerc|10 years ago|reply
Personally, I'm annoyed by the cookie messages, but the law is supposed to help people.
Blocking (or auto-accepting) them is basically saying we don't give a shit about this law :-)
[+] [-] Kequc|10 years ago|reply
There are far larger security related concerns on the web. The cookie warnings are on par with if you had to agree with Javascript running on any page you visit in the EU. So, yes, I want to auto-accept.
As a developer I feel like I'm not going to make special considerations that ensure you can use forms on my website without cookies enabled. And I'm not going to find another way to detect and re-instate your login state.
[+] [-] r3bl|10 years ago|reply
[+] [-] JelteF|10 years ago|reply
[+] [-] foobuzz|10 years ago|reply
It warns users who don't accept cookies that the website uses cookies, at every connexion. It doesn't warn users who accept them that they're used, putting aside the first connexion.
It should be the other way around. The website should warn the user that a cookie is used when the website just accepted a cookie from the browser. The privacy concern happen at this very moment, when you phone back to the website, not when the website phones you information.
[+] [-] T3RMINATED|10 years ago|reply
[deleted]
[+] [-] TerryADavis|10 years ago|reply
[deleted]