1. 25

    There are a lot of extensions that automatically select the ‘reject all’ or walk the list and decline them all. Why push people towards one that makes them agree? The cookie pop-ups are part of wilful misinterpretation of the GDPR: you don’t need consent for cookies, you need consent for tracking and data sharing. If your site doesn’t track users or share data with third parties, you don’t need a pop up. See GitHub for an example of a complex web-app that manages this. Generally, a well-designed site shouldn’t need to keep PII about users unless they register an account, at which point you can ask permission for everything that you need to store and explain why you are storing it.

    Note also that the GDPR is very specific about requiring informed consent. It is not at all clear to me that most of these pop-ups actually meet this requirement. If a user of your site cannot explain exactly what PII handling they have agreed to then you are not in compliance.

    1. 4

      Can’t answer this for other people, but I want tracking cookies.

      When people try to articulate the harm, it seems to boil down to an intangible “creepy” feeling or a circular “Corporations tracking you is bad because it means corporations are tracking you” argument that begs the question.

      Tracking improves the quality of ad targeting; that’s the whole point of the exercise. Narrowly-targeted ads are more profitable, and more ad revenue means fewer sites have to support themselves with paywalls. Fewer paywalls mean more sites available to low-income users, especially ones in developing countries where even what seem like cheap microtransactions from a developed-world perspective would be prohibitively expensive.

      To me, the whole “I don’t care if it means I have to pay, just stop tracking me” argument is dripping with privilege. I think the ad-supported, free-for-all-comers web is possibly second only to universal literacy as the most egalitarian development in the history of information dissemination. Yes, Wikipedia exists and is wonderful and I donate to it annually, but anyone who has run a small online service that asks for donations knows that relying on the charity of random strangers to cover your costs is often not a reliable way to keep the bills paid. Ads are a more predictable revenue stream.

      Tracking cookies cost me nothing and benefit others. I always click “Agree” and I do it on purpose.

      1. 3

        ‘an intangible “creepy” feeling’ is a nice way of describing how it feels to find out that someone committed a serious crime using your identity. There are real serious consequences of unnecessary tracking, and it costs billions and destroys lives.

        Also I don’t want ads at all, and I have no interest in targeted ads. If I want to buy things I know how to use a search bar, and if I don’t know I need something, do I really need it? If I am on a website where I frequently shop I might even enable tracking cookies but I don’t want blanket enable them on all sites.

        1. 4

          How does it “costs billions and destroys lives”?

          1. 2

            https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2020/csn_annual_data_book_2020.pdf see page 8. This is in the US alone and does not take the other 7.7b people in the world into account. I will admit it is not clear what percentage of fraud and identity theft are due to leaked or hacked data from tracking cookies so this data is hardly accurate for the current discussion, but I think it covers the question of ‘how’. If you want more detail just google the individual categories in the report under fraud and identity theft.

            Also see this and this

            But I covered criminal prosecution in the same sentence you just quoted from my reply above so clearly you meant ‘other than being put in prison’. Also, people sometimes die in prison, and they almost always lose their jobs.

            1. 4

              The first identity theft story doesn’t really detail what exactly happened surrounding the ID theft, and the second one is about a childhood acquaintance stealing the man’s ID. It doesn’t say how exactly either, and neither does that FTC report as far as I can see: it just lists ID theft as a problem. Well, okay, but colour me skeptical that this is cause by run-of-mill adtech/engagement tracking, which is what we’re talking about here. Not that I think it’s not problematic, but it’s a different thing and I don’t see how they’re strongly connected.

              The NSA will do what the NSA will do; if we had no Google then they would just do the same. I also don’t think it’s as problematic as often claimed as agencies such as the NSA also do necessary work. It really depends on the details on who/why/what was done exactly (but the article doesn’t mention that, and it’s probably not public anyway; I’d argue lack of oversight and trust is the biggest issue here, rather than the actions themselves, but this is veering very off-topic).

              In short, I feel there’s a sore lack of nuance here and confusion between things that are (mostly) unconnected.

              1. 2

                Nevertheless all this personal data is being collected, and sometimes it gets out of the data silos. To pretend that it never causes any harm just because some stranger on the internet failed to come up with a completely airtight example case in 5 minutes of web searching is either dishonest or naive. If you really want to know, you can do the research yourself and find real cases. If you would rather just feel comfortable with your choice to allow all tracking cookies that is also totally fine. You asked how, I believe my answer was sufficient and roughly correct. If you feel the need to prove me wrong that is also fine, and I will consider any evidence you present.

                1. 2

                  The type of “personal data” required for identity theft is stuff like social security numbers, passport numbers, and that kind of stuff. That’s quite a different sort of “personal data” than your internet history/behaviour.

                  To pretend that it never causes any harm just because some stranger on the internet failed to come up with a completely airtight example case in 5 minutes of web searching is either dishonest or naive. If you really want to know, you can do the research yourself and find real cases.

                  C’mon man, if you’re making such large claims such as “it costs billions and destroys lives” then you should be prepared to back them up. I’m not an expert but spent over ten years paying close attention to these kind of things, and I don’t see how these claims bear out, but I’m always willing to learn something new which is why I asked the question. Coming back with “do your own research” and “prove me wrong then!” is rather unimpressive.

                  If you would rather just feel comfortable with your choice to allow all tracking cookies that is also totally fine.

                  I don’t, and I never said anything which implied it.

                  If you feel the need to prove me wrong that is also fine, and I will consider any evidence you present.

                  I feel the need to understand reality to the best of my ability.

                  1. 1

                    I feel the need to understand reality to the best of my ability.

                    Sorry I was a bit rude in my wording. There is no call for that. I just felt like I was being asked to do a lot of online research for a discussion I have no real stake in.

                    GDPR Article 4 Paragraph 1 and GDPR Article 9 Paragraph 1 specify what kind of information they need to ask permission to collect. It is all pretty serious stuff. There is no mention of ‘shopping preferences’. Social security numbers and passport numbers are included, as well as health data, things that are often the cause of discrimination like sexuality/religion/political affiliation. Also included is any data that can be used to uniquely identify you as an individual (without which aggregate data is much harder to abuse) which includes your IP, your real name.

                    A lot of sites just ask permission to cover their asses and don’t need to. This I agree is annoying. But if a site is giving you a list of cookies to say yes or no to they probably know what they are doing and are collecting the above information about you. If you are a white heterosexual English speaking male then a lot of that information probably seems tame enough too, but for a lot of people having that information collected online is very dangerous in quite real and tangible ways.

            2. 3

              I am absolutely willing to have my view on this changed. Can you point me to some examples of serious identity theft crimes being committed using tracking cookies?

              1. 2

                See my reply to the other guy above. The FTC data does not specify where the hackers stole the identity information so it is impossible for me to say what percentage are legitimately caused by tracking cookies. The law that mandates these banners refers to information that can be used to identify individuals. Even if it has never ever happened in history that hacked or leaked cookie data has been used for fraud or identity theft, it is a real danger. I would love to supply concrete examples but I have a full time job and a life and if your claim is “Sure all this personal data is out there on the web, and yes sometimes it gets out of the data silos, but I don’t believe anyone ever used it for a crime” then I feel like its not worth my time spending hours digging out case studies and court records to prove you wrong. Having said that if you do some searching to satisfy your own curiosity and find anything definitive I would love to hear about it.

              2. 2

                someone committed a serious crime using your identity

                because of cookies? that doesn’t follow

              3. 1

                Well this is weird. I think it’s easy to read that and forget that the industry you’re waxing lyrical about is worth hundreds of billions; it’s not an egalitarian development, it’s an empire. Those small online services that don’t want to rely on asking for donations aren’t billion-dollar companies, get a deal entirely on someone else’s terms, and are almost certainly taken advantage of for the privilege.

                It also has its own agenda. The ability to mechanically assess “ad-friendliness” already restricts ad-supported content producers to what corporations are happy to see their name next to. I don’t want to get too speculative on the site, but there’s such a thing as an ad-friendly viewer too, and I expect that concept to become increasingly relevant.

                So, tracking cookies. They support an industry I think is a social ill, so I’d be opposed to them on that alone. But I also think it’s extremely… optimistic… to think being spied on will only ever be good for you. Advertisers already leave content providers in the cold when it’s financially indicated—what happens when your tracking profile tells them you’re not worth advertising to?

                I claim the cost to the individual is unknowable. The benefit to society is Cambridge Analytica.

              4. 2

                The cookie law is much older than GDPR. In the EU you do need consent for cookies. It is a dumb law.

                1. 11

                  In the EU you do need consent for cookies. It is a dumb law.

                  This is not true. In the EU you need consent for tracking, whether or not you do that with cookies. It has to be informed consent, which means that the user must understand what they are agreeing to. As such, a lot of the cookie consent UIs are not GDPR compliant. Max Schrems’ company is filing complaints about non-compliant cookie banners.

                  If you only use functional cookies, you don’t need to ask for consent.

                  1. 3

                    https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046 concerns consent of user data processing.

                    https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058 from 2002 builds on the 1995 directive, bringing in “cookies” explicitly. Among other things it states “The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible.”

                    In 2009 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32009L0136 updated the 2002 directive, closing a few loop holes.

                    The Do-Not-Track header should have been enough signal to cut down on cookie banners (and a few websites are sensible enough to interpret it as universal rejection for unnecessary data storage), but apparently that was too easy on users? It went as quickly as it came after Microsoft defused it by enabling it by default and parts of adtech arguing that the header doesn’t signify an informed decision anymore and therefore can be ignored.

                    If banners are annoying it’s because they’re a deliberate dark pattern, see https://twitter.com/pixelscript/status/1436664488913215490 for a particularly egregious example: A direct breach of the 2002 directive that is typically brought up as “the cookie law” given how it mandates “as user-friendly as possible.”

                    1. 2

                      I don’t understand what you’re trying to say. Most cookie banners on EU sites are not at all what I’d call a dark pattern. They’re just trying to follow the law. It is a stupid law which only trained people to click agree on all website warnings, making GDPR less effective. Without the cookie law, dark patterns against GDPR would be less effective.

                      1. 3

                        The dark pattern pgeorgi refers to is that on many cookie banners, the “Refuse all” button requires more clicks and/or more careful looking than the “Accept all” button. People who have trained themselves to click “Accept” mostly chose “Accept” because it is easier — one click on a bright button, and done. If “Refuse all” were equally easy to choose, more people would train themselves to always click “Refuse”.

                        Let’s pretend for a moment the cookie law no longer exists. A website wants to set a tracking cookie. A tracking cookie, by definition, constitutes personally identifiable information (PII) – as long as the cookie is present, you can show an ad to specifically that user. The GDPR recognizes 6 different conditions under which processing PII is lawful.

                        The only legal ground to set a tracking cookie for advertising purposes is (a) If the data subject has given consent to the processing of his or her personal data. I won’t go over every GDPR ground, but suffice it to say that tracking-for-advertising-purposes is not covered by

                        • (b) To fulfil contractual obligations with a data subject;
                        • nor is it covered by (f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject.

                        So even if there were no cookie law, GDPR ensures that if you want to set a tracking cookie, you have to ask the user.

                        Conversely, if you want to show ads without setting tracking cookies, you don’t need to get consent for anything.

                        1. 2

                          I feel the mistake with the whole “cookie law” thing is that it focuses too much on the technology rather than what people/companies are actually doing. That is, there are many innocent non-tracking reasons to store information in a browser that’s not “strictly necessary”, and there are many ways to track people without storing information in the browser.

                        2. 1

                          I’m not saying that dark patterns are employed on the banners. The banners themselves are dark patterns.

                          1. 1

                            The banners often come from freely available compliance packages… It’s not dark, it’s just lazy and badly thought out, like the law itself.

                            1. 1

                              What about the law do you think is badly thought out?

                              1. 1

                                The cookie part of the ePrivacy Directive is too technological. You don’t need consent, but you do have to inform the user of cookie storage (or localstorage etc) no matter what you use it for. It’s unnecessary information, and it doesn’t protect the user. These are the cookie banners that only let you choose “I understand”, cause they only store strictly necessary cookies (or any kind of cookie before GDPR in 2016).

                                GDPR is the right way to do it. The cookie part of EPR should have been scrapped with GDPR. That would make banners that do ask for PII storage consent stand out more. You can’t make you GDPR banner look like an EPR information banner if EPR banners aren’t a thing.

                    2. 2

                      Usually when I see the cookie consent popup I haven’t shared any personal information yet. There is what the site has from my browser and network connection, but I trust my browser, uBlock origin and DDG privacy tools to block various things and I use a VPN to somewhere random when I don’t want a site to know everything it can about my network location.

                      If I really do want to share personal info with a site, I’ll go and be very careful what I provide and what I agree too, but also realistic in that I know there are no guarantees.

                      1. 8

                        If you’re using a VPN and uBlock origin, then your anonymity set probably doesn’t contain more than a handful of people. Combined with browser fingerprinting, it probably contains just you.

                        1. 2

                          Should I be concerned about that? I’m really not sure I have properly thought through any threats from the unique identification that comes from that. Do you have any pointers to how to figure out what that might lead to?

                          1. 9

                            The point of things like the GDPR and so on is to prevent people assembling large databases of correlated knowledge that violate individual privacy. For example, if someone tracks which news articles you read, they have a good first approximation of your voting preferences. If they correlate it with your address, they can tell if you’re in a constituency where their candidate may have a chance. If you are, they know the issues that are important to you and so can target adverts towards you (including targeted postal adverts if they’re able to get your address, which they can if they share data with any company that’s shipped anything physical to you) that may influence the election.

                            Personally, I consider automated propaganda engines backed by sophisticated psychological models to be an existential threat to a free society that can be addressed only by some quite aggressive regulation. Any unique identifier that allows you to be associated with the kind of profile that these things construct is a problem.

                          2. 2

                            Do you have a recommendation?

                        2. 2

                          The problem with rejecting all the tracking is that without it most ad networks will serve you the worst/cheapest untargeted adverts which have a high chance of being a vector for malware.

                          So if you reject the tracking you pretty much have to also run an ad-blocker to protect yourself. Of course if you are running an ad blocker then the cookies arent going to make much difference either way.

                          1. 1

                            I don’t believe it makes any difference whether you agree or disagree? the goal is just to make the box go away

                            1. 2

                              Yes. If I agree and they track me, they are legally covered. If I disagree and they track me then the regulator can impose a fine of up to 5% of their annual turnover. As a second-order effect: if aggregate statistics say 95% of people click ‘agree’ then they have no incentive to reduce their tracking, whereas if aggregate statistics say ‘10% leave the page without clicking either, 50% click disagree’ then they have a strong case that tracking will lose them business and this will impact their financial planning.

                          1. 4

                            If you want to use an online password manager, I would recommend using the one already built into your browser. They provide the same functionality, and can sidestep these fundamental problems with extensions.

                            Except that they don’t support sharing passwords, let alone role-based access controls.

                            1. 3

                              You’re doing role based access control using passwords and a password manager?

                              So when e.g. somebody loses a role you change the pw and update it in everybody’s manager?

                              And when something gets screwed up you only know that it was somebody who had the password because everybody uses the same account?

                              Imho password sharing is an anti-feature.

                              1. 5

                                B2B vendors have a nasty habit of mandating one account per customer company instead of one account per human. Password sharing solves this problem.

                                1. 1

                                  And it gets even more fun when the vendor has “you must change your password every 30 days” rules, which was a constant headache with dozens of one-login-per-company vendors at my last job.

                                2. 2

                                  Many people have multiple computing devices, sharing allows you to use the same password store on all of them instead of having to laboriously setup and manage multiple password stores.

                                  1. 1

                                    Oh, yeah, that’s fine and can be handled using a shared db. This was about sharing with other people. :)

                                  2. 1

                                    My girlfriend and I share passwords for a couple sites (streaming ones, mostly). It’s not role-based because there’s just two of us, and we could just let each other know if the password has to be changed, but it’s not an anti-feature.

                                    1. 1

                                      I think it is an anti-feature because it prevents the proper security requirements unless you also have some kind of shared master password.

                                      The password manager company should simply not be able to share your password with someone because they should not be able to access it.

                                    2. 1

                                      So when e.g. somebody loses a role you change the pw and update it in everybody’s manager?

                                      And when something gets screwed up you only know that it was somebody who had the password because everybody uses the same account?

                                      It’s mostly me, but I have multiple environments that require varying levels of access. It’s mainly to try and contain the damage from a breach on any one device. It sucks, but very few sites/services allow you to enable access to different users.

                                  1. 3

                                    The only reason for leaving the original comment in place would be allowing other users to walk right up to the ‘acceptable’ line without crossing it. That doesn’t seem like a good idea.

                                    Also standards for what the mods allow may change, I’m sure they don’t want to get involved in arguments comparing different mod decisions made over time.

                                    1. 2

                                      The only reason for leaving the original comment in place would be allowing other users to walk right up to the ‘acceptable’ line without crossing it.

                                      That’s not a valid reason - moderation doesn’t work that way, as there isn’t a line in the first place (language isn’t that simple). @pushcx (and/or any other mods) can just delete/ban when they think that someone is taunting them or being edgy.

                                      Valid reasons for leaving the comment content up (not necessarily in place - could be only in the modlog) are (1) transparency, so normal users can see what the mods are doing and (2) to set concrete examples of what are and are not acceptable on the site.

                                      Also standards for what the mods allow may change, I’m sure they don’t want to get involved in arguments comparing different mod decisions made over time.

                                      Not just “arguments”, but also “discussions”. If the standards change, transparency allows for there to be actual discussions, which is good.

                                    1. 2

                                      Mapcode is free, open source and works worldwide https://www.mapcode.com/about

                                      1. 1

                                        And are also harder to memorize for much of the population when compared with spoken words

                                        1. 1

                                          These arent passwords, I don’t think being able to memorise your location is particularly useful, if you are speaking a location over the telephone, a short alpha-numeric code can be spoken using the phonetic alphabet. In contrast 3 words will have multiple ways to misspell them and while you could use a phonetic alphabet, theres going to be a lot more characters to spell out. Mapcode also works better for people who don’t speak english.

                                          1. 1

                                            Memorizing YOUR location isn’t helpful, since it changes.

                                            But a long driveway entrance?

                                      1. 3

                                        I wonder, what’s the reason for splitting the space bar in two?

                                        1. 5

                                          They talk about it somewhere in the docs. The idea is that you can remap one of the half-bars to another key if you’d like, so you can backspace with your thumb, for example, but still also have space on your thumb.

                                          1. 4

                                            Probably because it doesn’t require stabilizers then…

                                            1. 3

                                              Like many design features in conventional keyboards, (especially the staggered rows or the ergonomically awful positioning of modifier keys) the reason most spacebars are comically wide is that they were just copying the design of typewriters without considering the original rationale. In a typewriter, the space bar is different from every other key because it doesn’t have an arm attached to it that needs to come up to strike the paper, so it could be placed lower down where the arms wouldn’t reach and out of the way of the other moving parts.

                                              1. 1

                                                Split spacebars are pretty popular in the mechanical keyboard enthusiast community, for aesthetic as well as practical reasons (can map more functionality to more switches, like layer switching for instance).

                                                1. 1

                                                  The idea is you can optionally remap one of them to a modifier key (eg: Fn/ctrl/alt/shift) or use it activate a custom layer.

                                                  1. 1

                                                    It gives a more positive/reliable response, the spacebar has long been a weak point on IBM and the more modern pckeyboards.com