Salta al contenuto principale

@codinghorror @lispi314 @leymoo They may be well-intentioned* but they're not well-designed or doing everything right. They're tracking visitors without their consent.

* Normally I would not even call this well-intentioned, but as I said upthread, the fact that every web framework *automatically sets session cookies assuming you want to break the law and track users* even when the user has not indicated that they want to do something like log in or store a shopping cart, means a lot of people *don't even know they're doing it*. But this doesn't excuse it; it just makes them "well-intentioned".

@Ashley Rolfmore (leymoo) @Jeff Atwood @LisPi

Look, EU, it is difficult to take you seriously when you forced all this cookie notification bullshit on us. That feature a) should not exist and b) if it did, should be a BROWSER feature not "every website in the entire world now has to bother everyone forever about this stupid thing" blog.codinghorror.com/breaking…

Breaking the Web’s Cookie Jar

The Firefox add-in Firesheep caused quite an uproar a few weeks ago, and justifiably so. Here’s how it works: * Connect to a public, unencrypted WiFi network.
Jeff Atwood (Coding Horror)
Questa voce è stata modificata (1 settimana fa)
in reply to Jeff Atwood

Cassandrich
Cassandrich
That's a myth perpetrated by adtech industry. There is no EU obligation to spam cookie notices. There's an obligation not to track without explicit consent, and everyone illegally uses the cookie nag popups as a basis for claiming consent (which it's not). A legitimate, non malicious site has no need for cookie nags. Ever.
in reply to Cassandrich

Jeff Atwood
Jeff Atwood
not true. It is a LEGAL REQUIREMENT. Or you will be sued. By lawyers. And money.
in reply to Jeff Atwood

Enno T. Boland
Enno T. Boland

German here: the gist of GDPR is: people must know when someone collects personal data.

You can perfectly live without a cookie banner if you don't set one for arbitrary visitors. That was the intended result. But reality instead invented this UX nightmare, because we can't have nice things.

For me it just shows how fucked up today's web actually is.

Questa voce è stata modificata (1 settimana fa)

Anban Govender reshared this.

in reply to Enno T. Boland

Leroy
Leroy

also, by default a website complies with GDPR.

The choices by those in charge (collecting ad revenue or choosing a harmful technical library) is what then makes a website require needing consent.

in reply to Jeff Atwood

Cassandrich
Cassandrich
No, if you are not tracking you have not broken any law and you will not be sued.
in reply to Cassandrich

Ashley Rolfmore (leymoo)
Ashley Rolfmore (leymoo)

@dalias in analogy:
EU made it illegal to “sucker punch people” ie collect personal data without consent. That’s not the same as legit personal data collection eg an online shop needs your delivery address to mail your order you just made to you.

Cookie banners are basically giving someone a quick “sorry” after punching them - it’s a loophole that shouldn’t exist. No sorry needed if you don’t punch anyone.

@Cassandrich
in reply to Ashley Rolfmore (leymoo)

Cassandrich
Cassandrich
@leymoo They're not even a loophole. It's been ruled that they don't meet the GDPR requirements. But enforcement is lax. Really every site with cookie banners instead of genuine opt-in should be facing tens or hundreds of millions of euros in fines.
@Ashley Rolfmore (leymoo)
in reply to Cassandrich

Ashley Rolfmore (leymoo)
Ashley Rolfmore (leymoo)

@dalias yeah fair. I see some progress has been made on allowing ad free meta product usage (with payment).

But the banners I think are harder to enforce because it’s just so many companies, large and small.

@Cassandrich
in reply to Ashley Rolfmore (leymoo)

Cassandrich
Cassandrich
@leymoo It's also that the garbage web frameworks make it basically impossible to comply. EVERY SINGLE ONE automatically generates a session cookie for you on first access, despite having no legitimate reason to track a session for you. Instead this should happen only when you opt to log in, or add something to your cart or whatever (at which point you should *then* get the prompt for consent to store that data, and an option to store cart contents locally instead of server-side).
@Ashley Rolfmore (leymoo)
in reply to Cassandrich

Irenes (many)
Irenes (many)

yes indeed! before we joined Internet Safety Labs, the org published a spec for how that relationship between the visitor and the company should work, in an ideal world

not because anybody is going to follow that spec unless legally required to... just because sometimes you need to make your position clear

in reply to Irenes (many)

Irenes (many)
Irenes (many)

anyway: during our time at Google we were occasionally party to VP-level decision-making around privacy topics

we can attest, from our own direct knowledge, that tech companies habitually intentionally refuse to engage with public-policy debates so that they can later paint the laws and regulations that come out of those debates as uninformed by industry realities

in reply to Cassandrich

Kristoffer Lawson
Kristoffer Lawson
@dalias that’s all very nice in theory, but it was always going to end up with what we have, due to the way this regulation was brought in. With having to incessantly click Accept on every single website out there. Only a small fraction of people care to do anything else. Thus reducing the experience for almost everyone and annoying millions every day. The cookies are not just used for ads, but every analytics tool out there. Key to running sites.
@Cassandrich
in reply to Kristoffer Lawson

Mark Koek
Mark Koek
@Setok @dalias Not if you do analytics based on your own web server logs. You only need consent if you use a data guzzling third party analytics tool.
@Kristoffer Lawson @Cassandrich
in reply to Mark Koek

Kristoffer Lawson
Kristoffer Lawson

@mkoek @dalias tell that to the thousands of startups desperately trying to balance with a billion other things they're trying to do. That's just not a practical suggestion when the third party analytics are much faster to set up, better understood, and generally superior too than some self-hosted thing cobbled together.

As mentioned, the reality we are in today with cookie popups everywhere was 100% predictable and the regulation was thus poorly considered.

@Cassandrich @Mark Koek
in reply to Kristoffer Lawson

Mark Koek
Mark Koek
@Setok @dalias I would not advise startups to behave unethically because it’s easier, no. In fact, shouldn’t it be an eye opener that a law that requires people to do the right thing (don’t track people without consent) is viewed as wrong simply because it takes a tiny bite out of the ability to move fast and break things?
@Kristoffer Lawson @Cassandrich
in reply to Mark Koek

Kristoffer Lawson
Kristoffer Lawson

@mkoek @dalias frankly, yes. The law hasn’t changed anything of substance. Companies still use the same analytics tools. But now users are constantly nagged at, and companies have increased costs and slower go to market times as they need to faff with these things.

Perfect example of regulation that is completely misguided, and is a nuisance to almost everyone, bar a few people on Mastodon. Wrong approach.

@Cassandrich @Mark Koek
in reply to Mark Koek

Jeff Atwood
Jeff Atwood
@mkoek @Setok @dalias it hasn’t changed anything because it does not address root causes. Users want everything for free, forever, and content creators want to make money to feed themselves and their families. Until we resolve THAT, we will be stuck in endless combat between these two opposing forces. And the money is going to find a way to inevitably win because it has to. You have to make a living somehow. Free everything is great and all but it is never ever ever gonna be “free.”
@Kristoffer Lawson @Cassandrich @Mark Koek
Questa voce è stata modificata (1 settimana fa)
in reply to Liam Proven

Jeff Grigg
Jeff Grigg

@lproven @mkoek @Setok @dalias

Even being the "card-carrying Libertarian" that I am, I have long said that the most fundamental errors of Libertarian philosophy are to assume that

(1) reliable information is free

[It is not. It is expensive and difficult to obtain. There's no "want" about that; it's just reality.]

and

(2) people are rational.

[Like, do I really need to explain this? Especially in the context of current politics? 🙄 ]

@Kristoffer Lawson @Cassandrich @Liam Proven @Mark Koek
in reply to Cassandrich

Cassandrich
Cassandrich
Moreover there *was* a browser feature to set it globally and all the assholes running websites refused to honor it and instead used your setting as an additional fingerprinting bit to track you.
in reply to Cassandrich

Jeroen Baert
Jeroen Baert

@dalias This. All those banners tell you is "this website doesn't respect your privacy"

And there was a "Do Not Track"-flag, but respecting that was voluntary. :/

@Cassandrich
in reply to Jeff Atwood

William Oldwin
William Oldwin
That the EU 'forced' cookie banners is flat-out false. It was a *choice* for sites like yours to persist in the intensive collection of data about your users to feed in to the surveillance capitalism machine. As genuinely admirable as your philanthropy is, it was built on this.
in reply to William Oldwin

William Oldwin
William Oldwin

As for why this isn't a browser feature, it was and is! It is a *choice* by your industry to disregard this, by ignoring DNT and not implementing GPC in major browsers. Did your site honour DNT? Does it honour GPC in places where it is not legally obliged to?

developer.mozilla.org/en-US/do…
globalprivacycontrol.org/


Global Privacy Control — Take Control Of Your Privacy

Exercise your privacy rights in one step via the “Global Privacy Control” (GPC) signal, a proposed specification backed by over a dozen organizations.
globalprivacycontrol.org
in reply to William Oldwin

Jeff Atwood
Jeff Atwood
@willegible yeah, because users really loooove paying for content instead of free with ads .. I get it, you want to pick a fight with human nature. Well, how many centuries do you got to fight it with?
@William Oldwin
in reply to Jeff Atwood

William Oldwin
William Oldwin
Your complaint is disingenuous. The EU didn't require cookie banners, it required that collection of personal information only be done with explicit user consent. This hardly bans free advertising-supported content, and it has always been entirely possible for the web content industry collectively to define a less intrusive mechanism for collecting that consent. Your industry just hasn't bothered. Why might that be?
in reply to Jeff Atwood

PAUL!!!
PAUL!!!
I'm sorry I usually really like your takes but this one is just not true: the only thing the EU Cookie Law requires is consent for cookies that are not technically necessary, so mostly tracking features in our current internet, which are extremely privacy-intrusive. Useful features such as login, shopping cart, settings etc. -- none of that requires any cookie banner. So websites making use of cookie banners only do that because they don't want to respect their users' privacy

Anban Govender reshared this.

in reply to Jeff Atwood

Marcus Müller
Marcus Müller

@luap42 the donottrack header is exactly that at the browser level; if it's set no need to ask the user about consent they're explicitly denying. For non-tracking, i.e., technically necessary (auth,user settings) cookies, that banner is not necessary

the browser setting exists, it's not honored by website operators, which choose to show banners instead, and is being torpedoed by google, who is earth's dominant ad network and browser supplier.

the EU (in that case) isn't at fault.

@PAUL!!!
in reply to Marcus Müller

Marcus Müller
Marcus Müller
@luap42 here's the stock firefox browser setting you wish for; it's right there.
@PAUL!!!
in reply to Marcus Müller

Pixelcode 🇺🇦
Pixelcode 🇺🇦

@funkylab @luap42 Well, akschualllly the Do-Not-Track header has been deprecated because it was widely disrespected for being enabled by default in some cases, so websites argued that DNT doesn't really reflect the users' choices.

Therefore, DNT has been replaced by the Global-Privacy-Control header which is required to be disabled by default. @funkylab's screenshot shows the GPC setting.

@codinghorror Not sure how GPC is not precisely the “at the browser level” you are describing.

@PAUL!!! @Marcus Müller @Jeff Atwood
Unknown parent

Lauma Pret 🕸️
Lauma Pret 🕸️
@pkal @karttu
Yeah, I managed to do it on waterfox now. Half a year ago on actual FF I couldn't.
@karttu @Philip Kaludercic
Unknown parent

Philip Kaludercic
Philip Kaludercic
@laumapret @karttu In Fennec (and I hope this is not different in regular Android FF) I can just open the Firefox addon page and install it.
@karttu @Lauma Pret 🕸️
in reply to Jeff Atwood

Jeff Atwood
Jeff Atwood
I'm in this picture and I don't like it.
photo of television episode "Data Brokers: Last Week Tonight with John Oliver" (HBO), still at 19:17 with screenshot of website cookie notification alongside John talking. The website is Stack Exchange.
Your privacy By clicking "Accept all cookies" you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy. https://policies.stackoverflow.co/stack-overflow/cookie-policy/
in reply to Jeff Atwood

scy
scy

@javier Websites that don't use cookies are not involved. Neither are websites that only use cookies that are _required_ for the website to function, e.g. session tokens.

It's only when you'd like to use cookies to track users and deliver personalized ads that you have to deal with this stuff.

It's a choice.

Most websites simply don't choose the privacy-friendly option.

@javier :vericol:

Anban Govender reshared this.

in reply to scy

Claudius
Claudius

@scy @javier one of the big problems nobody talks about: tech is largely only explained by entities who have no incentive to explain it *well*.

Google, Meta, large ad networks are all like "stupid EU makes us do Cookie banner".

While the actual regulation is actually pretty good. The regulation is basically "don't fuck around with user data. But if you do, you at least need to tell the user".

@scy @javier :vericol:
Questa voce è stata modificata (1 settimana fa)
in reply to Jeff Atwood

Nik
Nik
The EU did not force cookie notifications. Site operators decided that it was easier to make everyone click through notifications instead of only using the data they legitimately needed.
in reply to Jeff Atwood

Nfoonf
Nfoonf
it not being a browser feature is part of the dark pattern, i think. Data brokers and google would loose their business modell if this would be a browser feature and everyone selected to not agree. (Why would anyone ever select otherwise?)
in reply to Jeff Atwood

mhoye
mhoye

True, but my point remains. This shitty experience we're collectively having here this isn't "the EU forcing cookie notification on people", it's "the malicious compliance of companies that profit from user tracking."

Every company that shows you an cookie popup has made the choice to put a few fractions of pennies of possible future profit ahead of your experience.

gdpr.eu/cookies/


Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu

Cookies can give businesses insight into their users’ online activity. Unforunately they are subject to both the GDPR and the ePrivacy Directive, making compliance difficult.
Richie Koch (GDPR.eu)

Questo sito utilizza cookie per riconosce gli utenti loggati e quelli che tornano a visitare. Proseguendo la navigazione su questo sito, accetti l'utilizzo di questi cookie.