All this "do you agree to this and that" nonsense could be avoided by "inversion of control": instead of sites asking users whether they agree to this 100 page document, websites should be legally bound to listen and honor directives that users give about the data the sites gather.
For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.
Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.
> Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.
There was a W3C standard called P3P which is similar to what you describe. It was implemented by Internet Explorer, but fell into disuse long before cookie notices became common. Bringing back something like that would be an improvement over having to deal with cookie banners per site.
A much more naive version of this, the Do Not Track header, was removed from major browsers (partly) because it was actually being used for fingerprinting. I strongly suspect a less naive version would be subject to more abuse: as it gets more granular it becomes a fingerprint all on its own.
I understand that you’re suggesting pairing it with legal force, but I also highly doubt that would or could be effective in any kind of consistent way.
For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.
And then you get Facebook spending millions of dollars taking out full-page ads in newspapers telling people that you are an evil demon who kicks puppies and hates small businesses.
(Ever notice that when Facebook wants to reach the most people, and the most important people, it uses newspapers, rather than its own platform?)
Personally, I find that this [0] doesn't break many sites at all, but messes with cookies to an appreciable extent. Combine this to an extensive use of that [1] and clearing your cache and cookies every day, and I think you're in decent shape while some heavy and heavily lobbied government body inches towards doing something about it.
You’re on the right track. Browser makers should be on the users side and websites should have to honour users preferences which are configured and sent to sites in the headers.
No one wants to be tracked though but they want the website to work. “All cookies” seem to play with that line. Don’t track me but allow website to work must be enforced on the client side. It’s what we do with uBlock origin and things in the like.
what about an even simpler mechanism - a website offers cookies to the browser, and the browser can choose to either store or not store that cookie. if the browser chooses not to store the cookie, it's up to the website to inform the user that their browser has rejected the cookie and explain what functionality won't be provided.
Would making all HTTP requests embed a header with a CCPA / GPDR claim be binding? It is as verifiable as any request through their form... its my original connection, so if they associate tracking data with me then they must associate this with me as well. Businesses should agree to my terms to make socket connections to me, else I should be able to see them in court. Proliferation is one way to end the modern shitty tracking madness.
> x-ccpa I do not consent to the sale or disclosure of my personal data and demand the deletion of my personal data per Californa CIV 1798.120, 1798.121, and 1798.105
We sometimes like to pretend that if a law is in force somewhere, it's in force everywhere, but that isn't the case. Otherwise, I'd be in serious trouble for saying I support Hong Kong independence. So you're creating these massively granular permissions and then passing some law, somewhere, saying they can't be used to fingerprint, but that's precisely what they will be used for everywhere the law isn't in force, which will likely be most of the world.
I said the same thing in a recent thread about cookies, and someone pointed out that there had been some kind of proposal along these lines, but it hadn't gotten any traction. I don't recall the name of it tho. (it wasn't Do Not Track, it was more complex, where cookies had some kind of "intent"/category associated with them).
eventually all sessions will have to operate like they are in a private window keeping the cookies permanently isolated to the host site visited and quarantine any third party cookies perhaps even find a means to spoof them.
in effect our browsers will need a db type tech to manage cookies and only serve them back when appropriate. a lot of what sites want to preserve for us; log in and such; can easily be done without cookies
Take a look at Global Privacy Control (GPC) which aims to do similar to what you’re describing, and is legally binding under CCPA and could be under GDPR too: https://globalprivacycontrol.org/
The most egregious violation I've seen is weather.com's cookie process. Go to https://weather.com/en-GB/ and click "Proceed with required cookies only". It's almost theatrical: first a spinning loading wheel, then the message "We are processing your request, this could take up to a few minutes to process." Then wait for their "Processing 0%" countdown take a few minutes to reach 100%. Anyone would think they are trying to discourage people from choosing that option?
Looking at the network requests when you hit that button it seems to be hitting a lot of tracking providers opt out API endpoints. Which is good I suppose, though better not to even include their scripts until you agree to it
There's another one of these things that's used on lots of sites, that takes three (3!) minutes, with no network requests or anything happening after the first couple of seconds. I forget the name of the company behind it, but it's a large one, one of the ones that sites proudly proclaim with a "protected by X" image.
It's beyond a dark pattern - it's plain fucking disgusting behaviour.
You'll be faced with 330+ individual agree/disagree toggles. THERE IS NO REJECT ALL BUTTON. If you're not technically inclined, you have to manually click them all.
You also have to choose block/remove consent (or whatever it is called) for similar crap hidden under the "Legitimate uses" category moniker. Same shit.
For this, and similar idiotic dark patters, there's a Firefox addon called "Unchecker".
Once the article got to opening the Dev Tools, I was surprised at the next approach: Copying the HTML into an editor, reformatting, copying into a C# project, setting up build rules for the copied HTML code, etc.
In this case I would always reach for typing a JavaScript oneliner into the dev console, using a couple of tricks:
1. Right click the element in the Inspector and choose "Copy" -> "CSS Selector".
2. Start typing the oneliner in the web dev console: Use [].slice.call(document.querySelectorAll("PASTED CSS SELECTOR")) to turn the elements into a JS array.
3. Use (...).map((o, i) => {...}).join("") to turn the JS array into a long formatted text string.
The result is the following, which took me a minute to type up and debug - from my perspective, a thousand times faster than firing up an IDE and setting up a new "project" to simply run a regex against some HTML.
{const rows = [].slice.call(document.querySelectorAll("li.vendor-item")).map((o, i) => {const idx = 1 + i; const name = o.querySelector(".vendor-title").textContent.trim(); const url = o.querySelector(".vendor-privacy-notice").href; return `|${idx}|${name}|[${url}](${url})|\n`}).join(""); `Listing As At 30 December 2020 08:10 GMT\n\n|-|Vendor| URL |\n|---|---|---|\n${rows}`}
Clever! It depends probably on the tech you are most comfortable with. I would probably copy to vscode and then use search & replace with regex there, or use multiline edit.
Somewhat related: Just yesterday the EU ePrivacy regulation took the first hurdle in Brussels. This will most likely bring some changes to the whole consent drama.
I'm not good at reading legalese and there seems to be no commentary for the current version[1] yet. What I understand is that they "encourage" browsers to implement "whitelists" (their choice of word, not mine) as a solution to "end-users [..] overloaded with requests to provide consent". I'm not sure there is an update regarding first-party analytics cookies which some hoped will be there.
I really wish this law had forced websites to respect a toggle in the browser UI instead of being allowed to engage in all their dark pattern shenanigans.
If a website had me jumping through too many hoops, I just don't bother. Many websites refuse to work without an egregious amount of third party JavaScript which makes it a pain in the ass to visit if you use uBlock Origin/uMatrix.
Let's be honest most of the websites that won't work without JavaScript aren't even really worth it. The content is usually garbage anyway.
(Warning: hyperbole) I feel like the consent notices are a form of torture. You might browse 10s or 100s of sites a day, and instead of being shown what you want, you're presented a consent notification with all kinds of cognitive processing needed to ensure you don't do something you didn't mean and to get at the information you wanted.
Maybe lockdown is making me cranky, but I'm getting really, really tired of the popups.
I came here for the comments but then went back and read the article. It's a deep dive into the cookie popup and all associated links, including 647 "partners" each with their own privacy policy. There are a lot of screenshots.
One thing I would like to see (and it shouldn't be too hard to code, using the example) would be a mirror of the entirety of text of all the privacy policies and everything else pasted back to back.
The screenshots and implication of having 647 privacy policies is bad enough, but I really want to see my scroll bar shrivel up and die.
It amazes me how bad the internet experience gets when using a VPN server in the EU.
I thought cookie popups were annoying, but I didn't realize how much more ubiquitous they are when you have an EU origin ip address. If you haven't tried it before, it's worth doing it just to see what those poor people put up with.
doesn't matter how long I need to scroll I always try to reject everything for every website that I know I will visit multiple times.
And I also use NoScript and uBlock Origin
But this is a prime example for a "dark pattern"
And also, if I can't reject most of the stuff I just close the site
What the author discovered here is the full list of publishers as given by the IAB consent framework [1], which is an attempt at self-regulation by the ad industry and website publishers.
Presenting the user with the full list of advertisers is indeed silly and not compliant IMHO. We also offer an open-source privacy & security tool for websites (Klaro! - https://github.com/kiprotect/klaro) and we have decided against implementing the IAB framework as it's clear that it does not conform to the intent of the GDPR. We also opted against using dark-patterns and making declining more difficult than accepting. Overall this results in slightly less opt-ins (around 50-70 % for most websites) but in any case those dark patterns will have to go sooner or later.
I love that the post doesn't answer the question in the title, just shows that its inconceivable that any layperson would be able to answer the question on their own.
Not trolling - I genuinely wanted to know what the article says. I tried to read it, and got through, I don't know, 5 or 10 screenfuls before giving up, my mind numb.
The article would be much improved with an opening paragraph that summarises the findings.
It would also be improved with formatting that clearly differentiates the article text from the extensive site text it quotes. That site text is designed to numb users and put them off reading. It worked for me.
It's not cookies though, despite the title. GDPR banners regulate sharing of personally identifiying data, which are a wider category, with things like browser fingerprints or IP addresses in it too.
1. First go to cookies and reject all cookies except the strictly necessary ones
2. Then go to “Legitimate interest” and then simply click “Object all”.
At my primary browser level -
3. In Firefox settings, choose “Block all cookies” (Hasn’t messed with my browsing experience, yet)
4. Periodically keep on deleting your browser cache and cookies. Don’t delete browsing history and saved logins.
I am currently looking for ways to minimize JavaScript usage. If anyone has any ideas, kindly proffer.
Caveat :- I am fully conscious that despite the painstaking activity of rejecting all cookies and objecting to all legitimate interest, I cannot rest easy that all websites I visit are scrupulous, cognizant and conscientious of my choice.
Also, I don’t get to option to reject and object on all websites, in which case I first check if there’s an archived snapshot on the Wayback Machine[1], or I simply forego reading the article altogether. For ex - www.BBC.co.uk, and even Reuters as mentioned in the OP’s post.
“Strictly Necessary Cookies” being defined as cookies that are necessary for a site to function always frustrates me. In what way does a news website need cookies in order to function? What exactly would break in showing news articles when I disallow all cookies to be stored in my browser?
I think a common example is any site that requires authentication will need to store some kind of session cookie in the browser. I suspect many news sites have subscriber accounts that you can log in with.
Many subscription news sites might consider the "how many free articles has this visitor viewed this month" to be a strictly necessary cookie, but that's just speculation on my part.
Safari used to make it easy to reject all cookies with an exception list. I wish this feature would return. They have also made it very difficult to access and manage cookies outside of Safari. Seems inconsistent with Apple's public stance on tracking.
[+] [-] Faint|5 years ago|reply
For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.
Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.
[+] [-] joshuaissac|5 years ago|reply
There was a W3C standard called P3P which is similar to what you describe. It was implemented by Internet Explorer, but fell into disuse long before cookie notices became common. Bringing back something like that would be an improvement over having to deal with cookie banners per site.
[+] [-] eyelidlessness|5 years ago|reply
I understand that you’re suggesting pairing it with legal force, but I also highly doubt that would or could be effective in any kind of consistent way.
[+] [-] reaperducer|5 years ago|reply
And then you get Facebook spending millions of dollars taking out full-page ads in newspapers telling people that you are an evil demon who kicks puppies and hates small businesses.
(Ever notice that when Facebook wants to reach the most people, and the most important people, it uses newspapers, rather than its own platform?)
[+] [-] 2112|5 years ago|reply
[0] uBlock Origin
https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...
[1] Firefox Multi-Account Containers
https://addons.mozilla.org/en-US/firefox/addon/multi-account...
[+] [-] ssss11|5 years ago|reply
[+] [-] hartator|5 years ago|reply
[+] [-] notatoad|5 years ago|reply
[+] [-] boxfire|5 years ago|reply
> x-ccpa I do not consent to the sale or disclosure of my personal data and demand the deletion of my personal data per Californa CIV 1798.120, 1798.121, and 1798.105
[+] [-] msla|5 years ago|reply
We sometimes like to pretend that if a law is in force somewhere, it's in force everywhere, but that isn't the case. Otherwise, I'd be in serious trouble for saying I support Hong Kong independence. So you're creating these massively granular permissions and then passing some law, somewhere, saying they can't be used to fingerprint, but that's precisely what they will be used for everywhere the law isn't in force, which will likely be most of the world.
[+] [-] GordonS|5 years ago|reply
[+] [-] eli|5 years ago|reply
It's really really hard to come up with a machine readable code that encapsulates what each cookie means and does.
Also obviously true bad actors would just lie.
[+] [-] remram|5 years ago|reply
[+] [-] Shivetya|5 years ago|reply
in effect our browsers will need a db type tech to manage cookies and only serve them back when appropriate. a lot of what sites want to preserve for us; log in and such; can easily be done without cookies
[+] [-] wombatpm|5 years ago|reply
[+] [-] maxerickson|5 years ago|reply
[+] [-] tagawa|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] bb101|5 years ago|reply
[+] [-] mattvot|5 years ago|reply
[+] [-] GordonS|5 years ago|reply
It's beyond a dark pattern - it's plain fucking disgusting behaviour.
[+] [-] gadders|5 years ago|reply
[+] [-] MaxBarraclough|5 years ago|reply
I realise it's comically unenforced, but doesn't the GDPR forbid websites from doing that?
Obvious ugly workaround: use a Private Browsing session for that website.
[+] [-] BugWatch|5 years ago|reply
Choose not to accept / options.
You'll be faced with 330+ individual agree/disagree toggles. THERE IS NO REJECT ALL BUTTON. If you're not technically inclined, you have to manually click them all.
You also have to choose block/remove consent (or whatever it is called) for similar crap hidden under the "Legitimate uses" category moniker. Same shit.
For this, and similar idiotic dark patters, there's a Firefox addon called "Unchecker".
https://addons.mozilla.org/en-US/firefox/addon/unchecker/
That, is, of course, until they start using buttons (some already do), double negatives in the wording or some such crap.
[+] [-] rav|5 years ago|reply
In this case I would always reach for typing a JavaScript oneliner into the dev console, using a couple of tricks:
1. Right click the element in the Inspector and choose "Copy" -> "CSS Selector".
2. Start typing the oneliner in the web dev console: Use [].slice.call(document.querySelectorAll("PASTED CSS SELECTOR")) to turn the elements into a JS array.
3. Use (...).map((o, i) => {...}).join("") to turn the JS array into a long formatted text string.
The result is the following, which took me a minute to type up and debug - from my perspective, a thousand times faster than firing up an IDE and setting up a new "project" to simply run a regex against some HTML.
[+] [-] trulyme|5 years ago|reply
[+] [-] sdfhbdf|5 years ago|reply
[0]: https://en.m.wikipedia.org/wiki/Do_Not_Track
[+] [-] weinzierl|5 years ago|reply
I'm not good at reading legalese and there seems to be no commentary for the current version[1] yet. What I understand is that they "encourage" browsers to implement "whitelists" (their choice of word, not mine) as a solution to "end-users [..] overloaded with requests to provide consent". I'm not sure there is an update regarding first-party analytics cookies which some hoped will be there.
[1] https://data.consilium.europa.eu/doc/document/ST-6087-2021-I...
[+] [-] CoolGuySteve|5 years ago|reply
[+] [-] FriedrichN|5 years ago|reply
Let's be honest most of the websites that won't work without JavaScript aren't even really worth it. The content is usually garbage anyway.
[+] [-] greggyb|5 years ago|reply
[+] [-] encom|5 years ago|reply
If I still see a popup, I just leave. I refuse to interact with popups. That was true in the 90's, and it's true today.
[+] [-] switch007|5 years ago|reply
Maybe lockdown is making me cranky, but I'm getting really, really tired of the popups.
[+] [-] roelschroeven|5 years ago|reply
[+] [-] hnick|5 years ago|reply
One thing I would like to see (and it shouldn't be too hard to code, using the example) would be a mirror of the entirety of text of all the privacy policies and everything else pasted back to back.
The screenshots and implication of having 647 privacy policies is bad enough, but I really want to see my scroll bar shrivel up and die.
[+] [-] hombre_fatal|5 years ago|reply
I thought cookie popups were annoying, but I didn't realize how much more ubiquitous they are when you have an EU origin ip address. If you haven't tried it before, it's worth doing it just to see what those poor people put up with.
[+] [-] aquir|5 years ago|reply
But this is a prime example for a "dark pattern"
And also, if I can't reject most of the stuff I just close the site
[+] [-] ThePhysicist|5 years ago|reply
Presenting the user with the full list of advertisers is indeed silly and not compliant IMHO. We also offer an open-source privacy & security tool for websites (Klaro! - https://github.com/kiprotect/klaro) and we have decided against implementing the IAB framework as it's clear that it does not conform to the intent of the GDPR. We also opted against using dark-patterns and making declining more difficult than accepting. Overall this results in slightly less opt-ins (around 50-70 % for most websites) but in any case those dark patterns will have to go sooner or later.
[1] https://iabeurope.eu/transparency-consent-framework/
[+] [-] anotheraccount9|5 years ago|reply
I don't recall receiving any comments or complaints about this.
[+] [-] eptcyka|5 years ago|reply
[+] [-] wombatmobile|5 years ago|reply
The article would be much improved with an opening paragraph that summarises the findings.
It would also be improved with formatting that clearly differentiates the article text from the extensive site text it quotes. That site text is designed to numb users and put them off reading. It worked for me.
[+] [-] rinze|5 years ago|reply
[+] [-] rhn_mk1|5 years ago|reply
[+] [-] godelmachine|5 years ago|reply
1. First go to cookies and reject all cookies except the strictly necessary ones
2. Then go to “Legitimate interest” and then simply click “Object all”.
At my primary browser level -
3. In Firefox settings, choose “Block all cookies” (Hasn’t messed with my browsing experience, yet)
4. Periodically keep on deleting your browser cache and cookies. Don’t delete browsing history and saved logins.
I am currently looking for ways to minimize JavaScript usage. If anyone has any ideas, kindly proffer.
Caveat :- I am fully conscious that despite the painstaking activity of rejecting all cookies and objecting to all legitimate interest, I cannot rest easy that all websites I visit are scrupulous, cognizant and conscientious of my choice.
Also, I don’t get to option to reject and object on all websites, in which case I first check if there’s an archived snapshot on the Wayback Machine[1], or I simply forego reading the article altogether. For ex - www.BBC.co.uk, and even Reuters as mentioned in the OP’s post.
Ref.
[1] www.archive.is
[+] [-] VMG|5 years ago|reply
trying "reject all third party cookies" instead
[+] [-] Zanneth|5 years ago|reply
[+] [-] ncallaway|5 years ago|reply
Many subscription news sites might consider the "how many free articles has this visitor viewed this month" to be a strictly necessary cookie, but that's just speculation on my part.
[+] [-] herodotus|5 years ago|reply
[+] [-] jefftk|5 years ago|reply