You assume the problem was to determine the user’s preference in the most efficient way possible. The problem, instead, was to fool as many users into consenting as possible; and from that point of view, it is indeed rational to ignore any advisory signals and annoy the user so they want to just make the message go away.
The issue is with how browsers implemented it. Instead of implementing it with a per domain granularity it was implemented as a global option. People may enable the option to block tracking from malicous parties, but may unknowingly block tracking from good companies. So now good companies would need to ask the user if they actually want tracking since they may accidently be blocking it.
No, the real problem was that it worked too good from the perspective of ad-tech and data-gatherers.¹
It relied on the goodwill of those who run these services to i) invest some effort and money to detect the DNT headers and then ii) not collect/store the data of these requests.
Back, when only a tiny portion of web-users would send these headers along, the industry was fine to implement it. If only for marketing purpose.
But, as soon as they saw that it actually worked, the industry saw a threat to their revenues and stopped.
I believe a DNT2.0 that's more granular could've been a basis for GDPR, but the GDPR refrained -rightfully so, IMO- from any implementation details. For one, the GDPR never once requires some "popup", it merely states that if you are an a*hole and collect data that you shouldn't and/or send that to other parties, you should at least ask concent to do so - the idea being that web-owners would then massively ditch these services so that they don't have to nag their users.
And because the GDPR refrained from implementation details, the Ad- and surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light. This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them". And the browser makers then could add some UI to allow users per-domain or global, or wildcard or whatever settings "set-and-forget". But alas, this industry is malicious at best and will annoy users to no end for their own agenda.
>I never understood why the HTTP Do Not Track header wasn’t used to signal cookie preferences.
You aren't really giving preferences related to cookies with these "cookie banners".
The laws in the EU require companies to get user permission for certain types of data processing.
Cookies may be involved in that, but they may not be.
Browser features like local storage or session storage would also be covered, and a lot of processing done server-side without the use of cookies requires permission too.
A single indicator like the DNT header or the newer GPC header can't cover all of this, so it isn't suitable for complying with the ePrivacy Directive or GDPR.
It’s broken in the same way as do-not-stab. We tried that in my town, but people started slashing each other. One person got a big knife and kept it sheathed, then clubbed people with the handle.
There’s clearly no way to indicate what sort of knife based assault is acceptable using a single indicator.
mananaysiempre|10 months ago
charcircuit|10 months ago
berkes|10 months ago
It relied on the goodwill of those who run these services to i) invest some effort and money to detect the DNT headers and then ii) not collect/store the data of these requests.
Back, when only a tiny portion of web-users would send these headers along, the industry was fine to implement it. If only for marketing purpose. But, as soon as they saw that it actually worked, the industry saw a threat to their revenues and stopped.
I believe a DNT2.0 that's more granular could've been a basis for GDPR, but the GDPR refrained -rightfully so, IMO- from any implementation details. For one, the GDPR never once requires some "popup", it merely states that if you are an a*hole and collect data that you shouldn't and/or send that to other parties, you should at least ask concent to do so - the idea being that web-owners would then massively ditch these services so that they don't have to nag their users.
And because the GDPR refrained from implementation details, the Ad- and surveilance industry adopted a "dark pattern" that annoys people to no end (the popups) so as to paint the GDPR in a bad light. This industry could've easily said "If we see a DNT header with level:x and domainmask:*, we'll assume NO to every tracking cookie and won't collect them". And the browser makers then could add some UI to allow users per-domain or global, or wildcard or whatever settings "set-and-forget". But alas, this industry is malicious at best and will annoy users to no end for their own agenda.
¹ edit: source: https://pc-tablet.com/firefox-ditches-do-not-track-the-end-o...
coldpie|10 months ago
Say what?
moebrowne|10 months ago
https://en.wikipedia.org/wiki/Global_Privacy_Control
daveoc64|10 months ago
You aren't really giving preferences related to cookies with these "cookie banners".
The laws in the EU require companies to get user permission for certain types of data processing.
Cookies may be involved in that, but they may not be.
Browser features like local storage or session storage would also be covered, and a lot of processing done server-side without the use of cookies requires permission too.
A single indicator like the DNT header or the newer GPC header can't cover all of this, so it isn't suitable for complying with the ePrivacy Directive or GDPR.
hedora|10 months ago
There’s clearly no way to indicate what sort of knife based assault is acceptable using a single indicator.