WingNews logo WingNews
top | item 21429259

Ask HN: Shouldn't web browsers ask us before storing cookies?

74 points| jakemor | 6 years ago

Every time we visit a GDPR compliant site, we are greeted with the all too familiar (yet far from homogeneous) popup asking us to either accept or deny the site's privacy policy and cookie behavior.

I'd like to point out how this law is hurting the web.

When the onus is on the developer to ask a user for permission, the user is forced to trust the developer. For example when a website asks me if they can store cookies in my browser, and I say no, there is no easy way of me knowing if that site is actually listening to me.

Wouldn't it be cleaner if the burden was on the browser to ask us for permission?

In iOS for example, the operating system asks you if you'd like to grant an app access to your camera... not the app itself! Imagine we had to blindly trust an app to not use our camera, without any help from Apple. Mayhem!

Instead, the EU mandates that developers ask permission. Developers place a stupid looking div filled with legal jargon on their homepage. We roll our eyes and click accept. Good actors (who respected our privacy in the first place) continue to respect our privacy. Bad actors continue to ignore it.

63 comments

order

fitzroy|6 years ago

Instead of asking for each site, just allow first-party cookies and delete them by default when the last tab of that domain is closed. The user should be able to favorite cookies to keep indefinitely, with the rest being cleared on a user-defined schedule (onTabClose, 1 hour, 24 hours, 1 week, etc). There was a free Safari extension called Safari Cookies that handled the favoriting but it stopped working several years ago. https://sweetpproductions.com/safaricookies/index.htm

I'm surprised this isn't a standard feature built into browsers. Seems like it would be obvious to have a level of granularity between accept all first-party cookies and accept none.

Edit: to clarify, I don't think setting cookies is the issue (and not worth the UX hassle to ask everytime); the issue is storing the cookies for longer than the interaction persists. To me, it's analogous to someone remembering who you are during a conversation vs adding you to their rolodex and storing that info indefinitely.

SyneRyder|6 years ago

Microsoft Edge Beta has this. In Settings -> Site Permissions, you can disable "Allow sites to save cookies", but then add individual websites to the Allow list. There is also a Clear On Exit list you can add sites to.

I'm pretty sure Firefox & Chrome have similar functionality.

yunruse|6 years ago

I like this idea, but many users would find it equally annoying to have to manage this. A machine-learning software which tracks usage would be more welcomed, backed up by favourite status / use of password managers to make a good heuristic.

Just so long as the ML algorithm is open source and entirely personal – having a company decide which cookie is good would be easily abusable.

proofofconcept|6 years ago

As I remember it, this was an option you could enable in Netscape Navigator back in the dialup days. In practice it meant that every time you went to a new website you'd have to click ok on a dozen popup menus asking for permission to store each individual cookie before the page would load. I'm sure there are ways to make that process go a little more smoothly but in practice it's still probably something that most users would immediately turn right off.

weinzierl|6 years ago

If I remember correctly the UI for this existed long after Netscape Navigator. According to [1] it was removed in Firefox 44 in early 2016. I had expected that they only removed the UI but left the functionality available via about:config but that doesn't seem to be the case.

EDIT: According to [2] and [3] it seems the behavior was triggered by about:config network.cookie.lifetimePolicy set to 1 (ASK_BEFORE_ACCEPT), but the meaning of 1 apparently has changed over the years. At least setting it to 1 doesn't trigger any cookie dialogs in my Firefox 70.0.1 (64-bit).

[1] https://www.ghacks.net/2016/02/05/firefox-44ask-me-everytime...

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=233339

[3] http://kb.mozillazine.org/Network.cookie.lifetimePolicy

cheez|6 years ago

Oh my god, you just triggered some horrifying memories of that popup.

No, you definitely don't want the web browser to ask.

hos234|6 years ago

It used to be an option in Firefox. You have to go dig around bugzilla to find the reasons they removed it -

https://bugzilla.mozilla.org/show_bug.cgi?id=1249151

https://bugzilla.mozilla.org/show_bug.cgi?id=606655

userbinator|6 years ago

...and this:

https://bugzilla.mozilla.org/show_bug.cgi?id=570366#c1

"This option isn't supported, last I checked"

What a reason. They decided to remove it because it "isn't supported"? So much for "open source" being better at "do what users want"... if you personally don't need that option, fine, don't use it. But don't go taking away things that a lot of others want.

I get extremely angry whenever I see discussions like that. You can read and even participate in them, but your opinion is ultimately useless because you're not part of some privileged group who makes all the decisions about what to do with Firefox. It's no better than proprietary software where your bug reports are similarly ignored, besides being possibly a little bit easier to patch.

wronex|6 years ago

Firefox Focus for Android is great. It never stores anything. Which I think is a useful default when looking at shared links, doing quick searches, reading news etc.

tempestn|6 years ago

From my perspective, a lot of the problem is that there are very legitimate uses for cookies and other types of local storage, outside of advertising and other sorts of tracking. IE remembering user preferences, knowing what messages they've seen, that kind of thing. It would be a huge hindrance to not be able to persist any kind of state between visits. The real issue in most cases are third party cookies from ads and other trackers, but in almost everyone's understanding these are all lumped together into the single category of 'cookies'.

Of course, it's not quite as simple as "first party cookies fine, third party bad", since when you're on a domain like google.com for example, a whole lot of tracking goes on with first party cookies. But still, that can be dealt with. If I were coming up with a regulation (be it enforced at the browser or site level) it would make a distinction between first party cookies on domains serving up to X users per month, first party cookies on domains serving over X users per month, and third party cookies on all domains. The first of those categories could, I think, be unregulated. Save messages and/or restrictions for the other two and I think it would go a lot further toward achieving the goals of these sorts of initiatives, while being much less of a useless annoyance.

Firefox is going in this direction somewhat with their default blocking of third party cookies, but there's nothing they can really do unilaterally to treat first party cookies on google.com differently from bobsblog.com.

neilobremski|6 years ago

I agree that "this law is hurting the web" but I don't see how shifting that from the website to the application is going to solve the root issue. Prompts like these are annoying speed bumps that I have a hard time believing are in anyway effective -- paranoid people already deeply evaluate the software and services they use whereas the casual user is likely to just to "yah yah, get this out of my face" click it.

jakemor|6 years ago

If you tell the website “no don’t track me” it can’t even remember not to track you (because doing so would be tracking you!) so they have to ask every time.

If you tell the browser no, it would just block the site from storing any info in the browser. It would ask you once only the first time you visit a site, and you can change it whenever in the toolbar. Problem solved, no?

morpheuskafka|6 years ago

How about, if you install software such as a web browser on your computer that has a certain functionality intentionally exposed via an API, and you then visit sites that make use of that API, you have given consent for them to use it. And if you don't like it, you can reconfigure said browser to block them.

Retric|6 years ago

Technology can have legitimate and illegitimate uses. Just ask the humble crowbar. Laws are how we codify such things and software is no different.

Consider, a computer virus is only doing what the OS/hardware allows it to do. By your reasoning that should be absolutely acceptable in all situations as TCP/IP is an API.

sillysaurusx|6 years ago

And if you don't like it, you can reconfigure said browser to block them.

Oh?

I'd love it if that were true. But increasingly, it's not.

Take the YouTube app on iOS. It has no extension functionality. And it's de facto the YouTube browser.

Is it a web browser? Depends how you look at it. YouTube is the web of videos.

Even if we're talking about the actual web, Chrome on iOS doesn't seem to be configurable with extensions. Certainly not easily reconfigurable. In fact, Apple blocks apps that become too configurable, like Expo's old "Scan a QR code and now see your app running immediately" functionality.

Sadly we no longer seem to live in the world where you're encouraged to reconfigure anything.

dragosmocrii|6 years ago

Well said! Now if browsers wouldn't have the option to manage certain things, that would be a different matter.

Food for thought: how about advertising companies needing to ask people for consent for showing them the ads; your local post asking for consent for delivering tou junk mail; etc... Lots of things are taken for granted and we just have to cope with it

_jomo|6 years ago

I'd like to point out that GDPR compliant sites don't need to ask permission for strictly necessary cookies.

I also recommend using Cookie AutoDelete for Chrome [0] or Firefox [1]. You can define a whitelist of websites where you actually need Cookies (because you want to stay logged in), and the rest will be forgotten when you close the tab. It even allows different rules in Firefox Containers.

0: https://chrome.google.com/webstore/detail/cookie-autodelete/...

1: https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

jopsen|6 years ago

> I'd like to point out that GDPR compliant sites don't need to ask permission for strictly necessary cookies.

That's also my interpretation. If you use cookies for session state, authorization, then it's no problem.

The problem is that every website decided that they needed to track users. Or that asking for permission would minimize liability.

Nextgrid|6 years ago

The GDPR consent prompts are less about technicalities (are you using cookies or local storage) and more about giving the side permission to stalk you no matter what method they use.

The real problem here is the lack of enforcement of the regulations. The majority of GDPR consent prompts are obnoxious because they aren't actually compliant - compliant ones are much more pleasant. See this comment I just posted on another GDPR thread: https://news.ycombinator.com/item?id=21429666

Finally there's this misconception (it could be a lie perpetuated by companies looking to profit from GDPR-related consulting, or those looking to push back on the regulation by making it seem more annoying than it actually is) that all cookies require consent. That is blatantly false. Cookies to store site preferences (like language, font size), shopping carts or login sessions don't require consent as they're necessary for the functionality you're trying to use.

raverbashing|6 years ago

This is the right answer. I think the popups come mostly from a) an American interpretation of an European law and b) as a way to spite the users while "trying" to do the bare minimum to comply with the letter of the law (which might not be accepted as compliance)

And none of this farce would be needed if sites wouldn't track individual users. Showing ads don't require tracking individual users (and retargeting is frankly BS)

gingerlime|6 years ago

I honestly can’t figure out how these popups became so prevalent. They’re so obviously not compliant not just with the fine print of GDPR but with its spirit.

Even if you’re completely cynical about being compliant with GDPR I would imagine that not having popups like that at all is more compliant or less likely to get you in trouble than having those flagrantly-non-compliant ones...

oliwarner|6 years ago

Storing data in a cookie is not the dangerous bit, it's the intent, the what you're storing that data for which matters.

A browser popping up a prompt saying "google.com wants to store a cookie, is that okay?" isn't enough.

The design of these cookie and enhanced data protection laws is that websites need to spell out their intent. To tell people what data they're storing any why. Yes, you could code that into headers and have the browser relay that information, but that's the stalemate we're in.

wronex|6 years ago

How about Firefox Temporary Containers?

https://addons.mozilla.org/en-US/firefox/addon/temporary-con...

I think they compartmentalize each tap until it is closed. Dunno if it only clears cookies or all other forms of storage.

Cookies get all the bad press when there is many other ways to store data. Or does the word "cookie" encompass all forms of persistent storage?

kd5bjo|6 years ago

Note that the GDPR isn’t just about cookies, it’s about all collection of personalized information, in any form. It also outlines plenty of scenarios that don’t require a separate permission request beyond simply doing business with a company.

We’re only in the midgame of this particular regulation— the rules changed “suddenly” and specified outcomes rather than methods. Regulators and businesses are in the messy stage of negotiating best practices as businesses change as little as possible and regulators give fines for misconduct.

The hope is twofold: that enough users will opt out to make problematic business models less profitable, and that the lower user friction of models that don’t require tracking will become relatively more successful. Neither of these goals is served by allowing a blanket permission setting.

diminoten|6 years ago

"Shouldn't" implies some kind of higher authority capable of enforcing such a feature universally across browsers, when no such authority exists.

Browsers give you all kinds of opt-out capabilities, if that's something you're interested in. The fact is, most people aren't interested.

johnchristopher|6 years ago

But those opt-out capabilities are as clear-cut as most of GDPR banners.

edit: mea culpa, I somehow missed bunch of keys and there is a missing negation in my comment which should read "But those opt-out capabilities aren't as clear-cut as most of GDPR banners." I mean: the UI isn't there to opt out of affiliated adtech networks or to store the amount of details the user is willing to share.

gpvos|6 years ago

IIRC, in the early days, they did ask for every cookie.

rzzzt|6 years ago

lynx definitely had a "yes/no/all for this site" kind of question.

dynom|6 years ago

Your suggestion makes a lot of good sense. Cookies aren't the real threat though. Surely cookies are used for both wanted and unwanted tracking. Passive tracking however (fingerprinting of any form) will remain the threat we can't block and we won't know is happening.

If we add a mechanism to allow the OS to handle cookies, bypassing possible untrusty browser vendors. We won't solve much and create a false expectation, while (arguably) break more than we fix.

This doesn't mean we shouldn't, but if a method is found, it should include a significantly more comprehensive form of anonymity.

--2 cents

rolph|6 years ago

I usually right click and select an element blocker.

There was a time wayy back when a browser would prompt user when site requests to push out a cookie [up to about mid 90's AFAIR], but that was before the web was hijacked for commercial interests.

now there are often so many cookies with the typical website that a manual dialogue would waste all your user time.

so i think thats where the decision was made to include all cookies, in one broad permission setting.

Rarok|6 years ago

Internet Explorer (in the time of Windows 95) did that and people didn't liked and always checked the "Never ask my again" checkbox

ecesena|6 years ago

Browse in anonymous/private mode.

There’s unfortunately little difference between cookies used to keep you logged in and to track you. Therefore no cookies = log in every time. As long as you’re ok with that, go for it!

simpss|6 years ago

GDPR does not require "cookie consents forms" and neither do the EU e-privacy rules. There are clear exemptions for authentication and other technical cookies.

Basically, the form is only required if you're doing something nastier, like tracking.

I've never understood why sites just run with the concept and implement the "permission form" when it really isn't required for good actors.

https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies#sect...

ps: for firefox I use "cookie autodelete" extension https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

butz|6 years ago

Upcoming ePrivacy law should fix this nonsense with cookie banners. Although, having cookies permissions settings, like notifications and location in browser UI would be great.

frippledipps|6 years ago

It's just the beginning. Given the logic of the allmighty regime, each web link has to have a label describing all privacy impacts it might have if you click on it. The link will only open if you confirm.

johnchristopher|6 years ago

But that would place the responsibility to enforce GDPR on browsers vendors, not publishers. GDPR is about private information, the browser isn't interested in that, the publisher is, so the responsibility falls on the publishers.

JohnTHaller|6 years ago

They used to. Everyone hated it. They stopped.

tinus_hn|6 years ago

Do you really want 120 questions for each site you open?

Buge|6 years ago

It could be better than the current situation. It could give a single popup when you visit a site, and you would click yes/no and it would remember that forever. You would never get a popup for that site again.

With the current situation, there often isn't even a no button! You're required to click yes. And then if you ever clear your cookies, it pops up the box another time.

Additionally people who don't like the popup can simply go into their browser settings and say allow for all sites.

zrm|6 years ago

You don't need 120 separate questions, just a single list with all 120 cookies and their domains, with a checkbox next to each one and some "select/deselect all" buttons.

DoubleGlazing|6 years ago

It would be almost impossible to enforce. Publishers have a point of contact, an address or a hosting company, some sort of physical place where you can find whoever is in charge of the site. In other words, somewhere to send legal documents and summonses should a government wish to pursue legal action.

This is only partly true for web browsers. Google, Mozilla and Microsoft have addresses. But what all the browsers that have forked from open source projects? If someone forks Chromium and adds nasty features, how do you track them down if they did everything anonymously?

More to the point, if a law is passed that says "all browsers must do X,Y and Z". How to you enforce that in a world where open source is so prevalent? The big players may add the requirements to their flagship browsers, but if those browsers have open source underpinnings they have no control over the forked versions.

It's the publishers who are abusing browser capabilities, its much easier to force them in to compliance rather than trying to legislate how browsers work.

jakemor|6 years ago

> More to the point, if a law is passed that says "all browsers must do X,Y and Z". How to you enforce that in a world where open source is so prevalent?

Easier to enforce it on browsers than EVERY SINGLE website that uses cookies for tracking, no?