My spouse will sometimes mention in conversation with others that I invented the cookie. This always puts me on the spot, and I have to enter into a long explanation of the what and the why of cookies least they believe that I some sort of evil software hacker. (Now for a short explanation so that HN readers don’t think that I’m an evil hacker: I invented them, with the help of a colleague, while at IBM where we were designing a distributed file system. This was before the advent of the World Wide Web.)
Many of us remember when cookies were purely a utility-add for end users and were restricted only to the domain which set them. Thanks for inventing that.
Some popular browsers are supposedly "open source" yet it appears no browser user longing for saner times has ever tried reversed this change and recompiling the browser for their own use. No third party cookies by default.
The most fascinating thing IMO about so-called "modern" browsers is that even when their vendors publish source code, "99.9%" of people will not even attempt to make changes, even something as simple as changing a default from "on" to "off". It's like the software is stamped with "Read Only" or "Do Not Touch" and "99.9%" of people dutifully obey. The "0.1%" appear to be very conservative with the changes they make.
For example, if it was possible to disable auto-loading of resources, I might actually use these "modern" graphical browsers for tasks other than commercially-oriented transactions. Cookies are only one problem with these browsers.
Seems a bit overkill to recompile to get "no third party cookies by default" when you can just open the settings and disable it when you first install the browser. The setting is kept between updates (in Firefox at least) and if you are paranoid you can always check with Dev tools or a dumping proxy that 3rd party cookies are still disabled after an update
This undervalues convenience. The convenience of not having to worry about privacy-hostile default settings. Also, this will not work where the user is running applications from read-only media, or using something like "Guest mode" on a Chromebook where changes to settings are either not possible or ephemeral.
This sort of argument in defense of so-called "tech" company "default settings" shenanigans has been called out in recent litigation. Courts are becoming aware of the power and significance of "default settings".
It's this idea of "overkill", or other simialr rationales, that I am referring to in the original comment. Just enough "friction" to stop people from changing things. Not worth the trouble, people may think. And this works year after year. Amazing. Browser vendors were not the first in the computer industry to utilise this type of tactic, but it's a fine example.
Not sure who "you" refers to in the parent comment: me or a hypothetical person. If it's the former, I use a text-only browser that neither auto-load resources nor runs Javascript, along a localhost-bound proxy that strips or adds cookies. This is perfect for me. Both software I can change and quickly re-compile at any time. If it's the later, and "you" refers to a hypothetical person, then I cannot comment on behalf of such persons.
What I do know is that most users do not change default settings.
> Some popular browsers are supposedly "open source" yet it appears no browser user longing for saner times has ever tried reversed this change and recompiling the browser for their own use. No third party cookies by default.
And my response was simply it's way easier for the vast majority of people to change a setting once, than compiling the source (and remember to stay up to date with new releases)
> What I do know is that most users do not change default settings.
And they don't install alternative privacy respecting browsers either.
The "vast majority of people" will neither find nor change settings. Ever.
They are not interested in computers and they certainly do not read and comment on HN.
When I use the term "browser user" in the quoted comment it can be assumed I am referring to browser users who can write/edit and compile source code. If I wanted to address or comment about a larger audience, including people who are not interested in computers, who do not read HN, i.e., "the vast majority of people", then I would not be commenting here.
I think most will agree that we should focus on making browsers by default limit the amount of private and identifying information sent to anywhere that didn't explicitly get authorized for it.
TBH, with today's web the only way I have found to limit the information sent is to either not use a browser to make HTTP requests (e.g., use TCP client instead) or use a browser that (a) does not auto-load resources, e.g., images, Javascript files, etc, and (b) does not run Javascript inside <script> tags. Of course no other silly stuff like automatic "DNS prefetch" either. This way I know that the only information I am sending is the information I the web user actually sent, i.e., the HTTP request. Otherwise, there is no way to know what other HTTP requests will be made to accomplish auto-loading images, fonts, etc. or what other HTTP requests will be made by auto-loaded or inlined JS when the browser automatically runs it.
When the user types or clicks on https://hostx.com/1.htm, the user knows she has sent a request for filepath "/1.htm" at hostx.com. That's straightforward and easy to understand. Her intent is clear. She wants the file named "1.htm" from hostx.com.
However, what if she uses a browser that auto-loads remote files and auto-runs JS, and, e.g., the file 1.htm instricts the browser to auto-load the file "1.js", the browser automatically runs 1.js without any input from the user, and then 1.js makes more HTTP requests. Has the user "authorised" that information to be sent. Imagine she does not know the contents of file 1.js. How can she authorise sending information, i.e., an HTTP request, if she does not know what is the information, i.e., the request, and where it is being sent.
Browsers need a lot of updates. No way I'd want to touch a single line of code in a browser. Somehow, something is going to break and I'll have to screw with it at an inconvenient time no matter how clever my auto update script is.
There's lots of stuff I'd like to change, but I am not wading through the nightmare pile of code to add mdns browsing and SyncThing bookmark sync.
It's too bad most apps are getting rid of true scriptability. Browsers would be way better if you could just drop a python file in a folder and change stuff.
The text-only browser I use does not need updates. I am able to script it via tmux.
Overall I think "browsers" are overextended and overrated. I use them as HTML readers. I prefer separate programs for different tasks instead of one program for every task.
The so-called "modern" web browser, a "nightmare pile of code" indeed.
I'm sure that many can make the same claim. In the 1980's, I was an operating systems architect working at IBM. I thought up many interesting (to me) innovations while working on the first couple of releases of the AIX on the IBM POWER hardware. It was a great job and I learned a lot doing it. I got to work with some really brilliant developers and computer scientists (a number from IBM Research).
One project I was responsible for was the development of a distributed file system for AIX. The goal was a distributed file system that addressed some of the weaknesses found in other distributed file systems at the time. Our chief competitor was Sun's NFS distributed file system. NFS was a really nice design. It was well integrated into the operating system and quite reliable because it utilized a (mostly) stateless server. This had a number of performance and security implications along with some file system semantics over NFS that didn't match local file system semantics. We wanted to introduce state for the server to address these issues and thought of a number of complex protocols to manage it in the presence of unreliable clients. That's when I thought up the idea of making the clients keep their own state to be restored when they reconnected to the server. I protected this state from manipulation by the client by encrypting it. I didn't call them cookies, I called them tokens.
This design was patented by IBM and I was one of the two inventors on the patent. This patent was owned by IBM and years later they gave a special award for this patent because it decided that it was one of IBM's most important patents. (They wouldn't have done this unless the patent had held up to scrutiny or legal challenges). Unfortunately, by that time I had already left IBM to start my own company--I was at the top of my game and had confidence that I could create a software product of some kind that would be successful--so I missed out on the financial award for the patent. By then, I was at my new company and already in competition with IBM.
By now, the patent should be long expired. Interestingly, IBM ended up buying my company around seven years after I and a partner started it.
I was very aware of the academic literature and industrial practice during this time so I do believe that my invention does reflect original work that ended up with a very significant impact.
From a more personal perspective, the invention didn't financially benefit me. The work that I did at my company own was more creative, inventive, technically impactful, and financially important to me. For example, Austin Ventures has indicated that my company was the start of Austin becoming an important high-tech location, but none of that was related to the cookie.
i did a consulting gig rolling out Tivoli at Dell in the mid-90s, i think pre-IBM merger! loved the software, hated the [flat] network Dell had in Round Rock at the time! thanks for your detailed comment. love reading tech history stories.
Interesting, what kind of cookies? Like I say in the article Lou Montulli from Netscape is generally credited with creating the HTTP cookie, which they named cookie based upon magic cookies in unix, though its obviously quite a bit different.
Yeah, I remember in the mid-late 90's when companies would actually disable cookies altogether. Most non-technical people just don't understand the what/how/why cookies work, or were really needed in the browsers.
In the end, it's definitely been used in excessive and somewhat intrusive ways. I also wish that browsers had better controls over second and third party cookies and tracking (similar for nested iframe) in order to bubble some of it closer to the surface. In the end, pihole, ublock origin and privacy badger goes a long way to limiting this.
Great, so when time travel becomes a thing, I'll add you to the list of people to have a chat with about needing to envision longer term visions for how nefarious people can be. I love that at one point in a not so distant galaxy, er time, that there was a thing of innocence. Now, that innocence can no longer be tolerated and every new thing must have more time invested on how the new thing can be abused rather than just used as intended.
Really? I didn't invent it for browsers, I invented it for distributed file systems before the "World Wide Web" had even been invented. You might as well have a talk with William Shockley or Vint Cerf.
Exactly. How could you have known it would be used for what's it's used for now. That's the entire point of the conversation someone from the future could tell you. Why is that unclear? Maybe you're assuming a negative conversation? There are many decisions in my life that if a future me or someone else could show me exactly how things will play out in ways not foreseen by me at the time, I'd be less hostile than you apparently are at the idea.
This is such a ludicrous comment chain. The tone was clearly negative. You said you said you wanted to have a chat "about needing to envision longer term visions for how nefarious people can be".
right, but it sounds to me as you are reading it as i'm calling the inventor of the cookie as nefarious. i'm suggesting having a conversation with the inventor about how nefarious people will use his invention.
- Why didn’t you have the foresight to predict that it could be used for what it is used for now?
- Whoah there. Kind of out of left field. I had nothing to do with WWW cookies.
?
Seems like you can just tell those friends that you invented the great-grandfather or the fifth cousin once removed on the uncle’s side to the modern cookie and be done with the conversation a lot quicker.
Not too sensitive. All of us get annoyed at things we have to constantly reiterate. At least that other user revealed their insanity after they kept talking. Literally explaining why you could never have known, despite claiming you should have "thought harder." Don't feel guilty, you're not the one with the evil idea. We should, of course think long (and sometimes evil), but it's impossible to predict what others will use your tech for.
You did good and there's no problems with what you did.
"but it's impossible to predict what others will use your tech for."
I mean, it depends. If you build a atomic bomb during a war (with unrestrained city bombing from all sides going on), don't act surprised if cities indeed will be nuked with it and people point the finger also towards you.
But a general purpose lightweight distributed storage technology?
Seriously no, then you can also blame hard drive producers for enabling tracking.
We all want some websites to store temporary information on out computers. Otherwise we could not log in to anything for example. And that the default of the browsers is to allow any random website to store literally GBs of data on your computer without asking (https://developer.mozilla.org/en-US/docs/Web/API/Storage_API...) - then this is really the choice of ad financed browser developers - and the choice of the users to just accept that behavior (ignorance can also be a choice).
>> but it's impossible to predict what others will use your tech for.
> I mean, it depends. If you build a atomic bomb during a war , don't act surprised if cities indeed will be nuked with it and people point the finger also towards you.
You forgot the first part of the sentence you quoted.
>> We should, of course, think long (and sometimes evil)
My intention is to say that you can't do an exhaustive search and it shouldn't be expected. What's obvious to some isn't to others. This doesn't mean we can just go along without concern for morals. As scientists/researchers/inventors/developers we must think ahead (and evil). But it is like viewing history from a modern lens. We have knowledge we didn't back then and judgement about intent should come from the view of the time. (This also doesn't mean we can't look back at history and see "normal" things that people did as horrific. These are different things)
>Literally explaining why you could never have known,
That's the entire point of coming from the future to the past with information unavailable. It's pretty much Time Travel 101 sci-fi trope. Rather than going back in time with sports scores and stock picks, I was putting it towards nerdy tech dev. Sheesh
You may as well start by having that conversation with the inventor of the time travel device you're using, because - whew boy the nefarious things people are going to do with it!
Better question here is, why is this not handled through the browser instead of relying on individual web apps to do it.
Block third party cookies by default, delete other cookies on the last tab or window closed and prompt user to save cookies on a form submit ("do not delete cookies for this domain when leaving" type of prompt, for pages with logins, settings, etc).
Also remove features that make easy fingerprinting possible, the site doesn't need to know every font I have installed, just have a "standard set" included with the browser, and use web fonts or whatever for other fonts.
We had P3P spec for it 20 years ago, even implemented in IE! And Google has been sending intentionally malformed P3P header to bypass it. Their trillion dollar business relies on users having difficulty stopping tracking.
But hey, clicking those "reject all" (when you can at all) does not guarantee a bad actor would comply with one's wishes either.
GDPR has had every bit correct _technically_ (needs zero dialog if one doesn't track), but it could only work if these actors were honest. It turns out it reveals how bad they are.
I suppose the only thing that could possibly work is legislation that would guarantee these bad actors to be sued to oblivion + burden of proof on them that they don't track.
> and that's something governments should have pushed on
They did. Our current anti-tracking laws all come from pushing on that.
The problem is that the DNT is way too simplistic. Browsers fail to inform the users abut it and keep track of sites independently, and the protocol fails to allow the site to request fine-grained authorizations and inform why they are needed.
There's a sibling talking about P3P that has neither of those problems.
Enabling it by default was objectively the right thing to do. Blaming Microsoft for its death is, in my opinion, incorrect. The ad companies were never going to allow it to be honored.
The thing that killed DNT was making honoring it optional in the first place.
The 'general victim blaming' feels weird in contexts when there are at least three parties involved (MS, Google, End-Users + X)(NATO, Ukraine, Russia).
And how would you call it, when you compare a technological detail like the default setting of a HTTP header with a war where thousands of humans die? Hyperbole? Metaphorical exaggeration?
I think that is not a good base for a constructive discussion.
A literal cartel or corporations expected to prey on the individual humans betting on the gaps in our psychology. A different corporation has bridged these gaps simply by saying out loud what individual humans actually want, working as a simple re-transmitter of human thoughts. And cartel said that "oh, since we can't win easily now, then you are at fault now" (and not the cartel who blackmailed the world in the first place).
Same happened with Ruzzia. They wanted an easy win (to re-capture everything up to west Berlin again), and because of their blaickmail were quickly denied most of those easy wins, when their prey has hidden under NATO protection. They finally tried to capture whatever remained and when encountering resistance they blamed NATO.
Basically every powerful sociopath, be is Ruzzia or ad-tech corpo, want to have absolute freedom of taking what they want. And any attempt to deny them something is considered a fault of the defending party.
Firefox lets you set "strict tracking protection". The settings page warns you that "some sites may break". Some sites whine about this, usually using "Admiral" to check for cookie blocking. Most of those aren't worth visiting anyway.
There's also Privacy Badger, from the EFF. This turned up that the "Who wants to be tracked" site is using "plausible.io" to track visitors.
> Also remove features that make easy fingerprinting possible
Is this (reasonably) possible? If you ever do a graphics project you'll find that it is pretty difficult to get a pixel perfect render. Hence canvas fingerprinting[0]. (same happens for text rendering)
The problem can come down to the silicon lottery as well as the browser[1]. If you render the same code on two different machines, with the same compiler and libraries, you won't get pixel perfect difference. And GPUs don't match CPUs, though can if you edit the FMA instructions. Usually the best way to ensure images are exactly the same is to compare between Macs because the hardware is very similar and similarly binned. So Macs tend to have lower fingerprints in general (to the best of my knowledge) Current canvas blockers tend to just return a value, but that can obviously be a fingerprint itself.
So my question is if this is reasonably solved? I don't see it by being just the browser unless they can specifically just block a lot of that tracking. Which may require a big actor like Google or Apple to make a stand.
(Note: not an expert, but have done a decent amount of visualization work)
I think it makes sense to roll your own analytics stack using first party cookies, but OP went a little bit overboard by removing all tracking cookies altogether.
The problem is that pool is getting increasingly poisoned. Websites are increasingly hosting third-party analytics and advertising tracker scripts on their own sites in order to evade people who are trying to avoid them.
This is making it much less acceptable to allow first-party cookies and scripts.
Yeah, it seems like sites that offer content without a subscription keep trying to show ads (which nobody buys untargeted because they’d be a massive waste of money). It implies that the content needs to be paid for - and that’s why they’re not all just taking a polite “no” and giving up on it.
And if you believe that Internet ads could be just as scattershot as the Bud Light, Coke, and Toyota spots on TV, consider how much of the Internet ad market is niche stuff you’d never see on TV ads because they couldn’t afford it. Consider every SaaS product: they don’t advertise on TV because their target customer is too niche. Probably 75% of ad dollars would simply not be there without targeting. People choose over and over again to get content for free, and then complain about it because everyone loves to complain. No one loves opening their wallet.
So what? Literally billions of people get tracked and profiled so that some video creator can earn a bit more money... who cares. They can do it for less, or charge money directly if they think they've got what it takes. A few individuals lose a bit, while billions gain some privacy.
>why is this not handled through the browser instead of relying on individual web apps to do it.
Websites want you to explicitly reject consent for using your data. There are many untrustworthy places on the internet, so trustworthy places want to explicitly ask because they don't want the user to reject consent to them just because they are being lumped with the other sites.
Now if you had a browser setting that gave consent by default and allowed users to deny consent that is something that would reduce the need of sites constantly asking you for consent. But any attempt to automatically reject consent is just going to result in sites asking for consent via another channel. See what happened to the do not track header when you try and lump all sites together.
I've been thinking about the same thing - this feels like it deserves a native API, so we can get rid of all these dark patterns currently being employed.
It’s there. It’s “Do-Not-Track” and it sadly was never respected by the big platforms (and any developers, really). I’ve never seen a single case where setting the DNT header made a difference — which is dumb considering how infested the web is with privacy prompts…
Server owners can track you with the data they collect, client side can have little control of that. I wonder if there’s a better way possible in the current iteration of the web platform, or if a substantial overhaul is necessary for privacy respecting services.
Perhaps DNT would’ve been more effective if it was written in law? To gather user information for marketing purposes, you must respect this header. But then, how’d you enforce that… other problems: if browsers always set DNT to true by default, then the whole effort is pointless, because nobody will opt-in. This is ideal, but marketers will definitely not like that idea.
Thinking out loud here.
> I wonder if there’s a better way possible in the current iteration of the web platform, or if a substantial overhaul is necessary for privacy respecting services
Web browsers taking the reigns is the best option we have. Adblock + anti-fingerprinting + cookie jars/cookies being deleted by default are all necessities in the modern day. Ideally, moving people to more privacy conscious choices (i.e. not Google/Microsoft) are great steps to reducing the power of the Internet surveillance capitalism machine.
1. Your proposal is not enough for EU privacy law, so you'd still see banners. First-party tracking is still tracking and you still need a banner if you're going to store any data on the client that is not "strictly necessary" for the user's request.
2. Your proposal gives a pretty crummy experience in cases where users do expect the site to store data on the client longer. For logins you're popping up a confusing banner, and for client-side only storage (shopping carts, preferences, work in progress) you're silently discarding people's work.
No consent is required to store cookies required for the site to function. Login cookies, shopping carts etc are fine. The only reason websites display these banners is because they want to track you, and they rely upon misunderstandings like you are propagating to whitewash the request.
Other things: it has to be "strictly necessary" which is a high bar and many things don't meet it. For example, implicitly learning your preferences from your behavior doesn't.
They don't have to store the whole contents of your cart locally, but they need to store at least a token on your machine so they can remember that this cart is yours.
The last thing a browser wants to do is break experience for older sites. If a site relies on 3rd party cookies for log in, it will no longer work on your browser. It makes your browser look shit. Same reason we allow unclosed tags, crossed tags, etc.
We also had shockwave flash, blink tags, keygen tags for cert generation, etc., so yeah, we can change stuff if we need it. But since the biggest browser is owned by an ad company that earns money by tracking us, this will probably never happen.
An alternative would be to have a cookie jar per domain.
Browsers already detect login forms to offer autocompletion and password storage. Surely it wouldn’t be insurmountable to detect cookies being set after a login flow, and let users confirm that they want this login to persist.
On mobile safari, private tabs isolate cookies from each other. Also, once you are in private mode, all links open in new private tabs. Close the tab, and the cookies are gone.
I never turn private mode off. I wish firefox and chrome also worked this way.
Browsers can (and do in the case of Firefox and other privacy respecting browsers) try to make it harder to track you, but it's not something they can just unilaterally turn on or off.
Consent dialogs are about what sites do with the information they get about you, not just about what information they get.
I might be wrong but I think the EU regulation that forced these cookie acceptance forms―I can't remember if it was GDPR or some earlier directive―specifically required that the consent submission may not be automated so that the browser can be configured to accept everything.
It may have had good intentions as entities such as Microsoft would just set their browsers to default to accept all cookies anyway and a marginal group of people would know how to turn it off and even they couldn't still be sure if a proprietary browser still accepts and sends cookies without just telling the user.
So as usual the good intentions have turned into a cat-and-mouse game in the technical, grassroot realm. There are browser extensions that will just kill these consent dialogs automatically and websites try (luckily, not very hard so far), to work around the kill scripts. Everybody suffers.
Non tracking ads pay something like 90% less than tracked ones.
If your salary was going to be cut 90% tomorrow unless you started every conversation with the exact words 'I might remember this conversation later', would you just take the paycut?
So no, they didn't require them in plain text. But they essentially did so when the only real alternative was to go out of business.
By design. The prompt wants you to think the site only needs your permission to store necessary cookies such as for authentication, when in fact it is always because they want to track you and sell the tracking data.
The EU regulation enforced _asking users for permission before being tracked_ for non legitimate interests. There is new regulation in progress that mandates opting out to be as easy as opting in ("the Good").
None of this would be a problem if companies only used cookies for legitimate purposes.
Someone should do a talk a la "Birth and Death of Javascript"[0] on the topic of cookies. What started nearly 30 years ago as a crude means of storing state over a stateless protocol spawned an entire industrial ecosystem around systematically tracking and spying on internet users. Take a step back and it's an insane journey.
I have switched one of my sites to cookieless analytics and it is bad for everybody.
I can't even say how many users this site has now. It could be the same user coming back over and over. Or many users. How would I know.
Yes, I could track a ton of stats about every pageview like user agent, screen resolution etc and then try to stitch it back together. Trying to figure out how many different users there are. But this type of "stitching together" would probably also count as PII.
I cannot test new features and see if it makes users happy so they come back more often.
I cannot see if the site has issues on some hardware, software, language. Because I wouldn't see if users affected come back less often.
I can't test if an introduction text at the beginning helps users discover important features. Because I can't make the connection between showing the text early on in the user journey and usage of features later on. Because I can't see a user journey.
This is a site I run for the enjoyment of me and the other users. Probably a few thousand a month. And I can say the site was much easier to develop with a normal cookie approach to tracking. I have gone the cookieless way for about a year now. And I can say with certainty that it would be a better site now if I kept the cookie approach. When the developer flies blind, that's bad for everybody.
I think for a commercial site, where a degradation of 10% in user experience can tank the business, there is no way around cookie tracking to figure out what works for users and what doesn't.
This is another reason, why European internet companies do not stand a snowball's chance in hell to compete with their US competitors.
European companies need to bug all users and beg for cookies. While US companies only need to do that with their European users.
This is similar to law enforcement saying: "You mean we cannot track everything you say and do. How in the world are we supposed to do our jobs safely and efficiently?" Answer is, you basically can't. Not safely and not (as) efficiently. Because the world will turn dystopian and will destroy the very thing we are trying to create/maintain. (Happiness, etc)
It's nice to be able to A/B test your blog or product. It's cool and efficient, but it also hurts and to me that hurt outweighs your company's marginal benefits although it is a nuanced and difficult discussion to be fair. I'm being simplistic here to make the point clear. I hope.
How is simple analytics or A/B testing that's NOT internet-wide tracking (that is, only for the website you're on) or sold (which would be outright illegal without explicit consent) hurting you? Genuine question, because I don't see it. Internet-wide tracking across many sites: sure. But that's a very different thing – it's the difference between "I'm home Darling, I saw Sander at the mall today" vs. "Hello everyone, here is everything Sander did this week".
I bet HN keeps server logs; would you say you're being surveilled by viewing this page and posting that comment? If not, why not? What's the difference between that metadata and any other?
Surveillance is a deliberate action. If some incidental metadata is temporarily stored at HN and then evicted and deleted permanently in reasonable timeframes then it is not a surveillance. But as soon as it's analyzed, and/or specifically stored for prolonged periods, and/or unnecessary metadata is collected (not required for basic tech support and server administration), and/or linked to the user profiles more than needed to save and display our posts - then it's surveillance.
If I passed by your house and saw you walking your dog at 10:34 18/05/2023 and then promptly forgot about it, it is not a surveillance. If I set up a permanent observation post across the road from your door and will tail you daily everywhere you go - it's a surveillance. Even if I pinky promise that it is my own internal information and I would not share it, sell it, exchange it etc.
> set up a permanent observation post across the road from your door and will tail you daily everywhere you go
But I don't really see how that is happening here? I agree that would be bad, but merely checking "a user visited my website" is a very thing than seeing what someone does all over the interwebz. It's very questionable this minimum of information can even be tracked to you when done right.
I'm not claiming the relation is causal. I don't know what happens between happy world -> happy world with constant surveillance -> dystopian hellscape. The same is true for HN logs. I'd say, yes those logs are a form of surveillance. If that matters is where the debate is. It's hard to say, because these things are slippery and take (a long) time.
Of course they’re being surveilled on Hacker News. Keeping a finger on the pulse here is the epitome of low hanging fruit for law enforcement and intelligence. Why would anyone suspect otherwise?
The data is that of "I have a person who likes monkey paws" and then they can sell that to the monkey paw conglomerate. Next thing you know you're getting monkey paws in the mail!
The entire premise of my question is that data is kept private between the two parties (the website owner and the visitor). I don't see how this connects with that at all.
And how do you even get someone's mail address without an extensive internet-wide profile (which, again, isn't what the premise of my question was in the first place)?
It’s one thing to say that you’ll keep the data private between you, but from the user’s perspective there’s no guarantee. Whether that’s because you change your mind and decide to sell the user’s data, or there’s some sorta data breach, or or or.
I get the feeling. But to make things very simple, it's again like law enforcement tracking everything you say and do. Let's say it's a single agency, with a single employee doing the tracking to keep it easy.
How is that hurting you? How is your every movement being tracked by a single agency such an issue? They said they would keep it private, pinky promise.
Law enforcement tracking everyone can have serious and unintended consequences in away that a SaaS tracking visits are unlikely to have.
An extreme case is on the other side, is to compare simple site limited tracking to a coffee shop being able to see who enters the door. Why should they track how I look and the way I'm dressed? Does it make service harder if you have to work blindfolded? Though luck, my privacy is more important than your wish to provide your customers with good service.
“Unlikely” being the keyword here. I know it’s unlikely, but just the act of collecting all this data makes it dangerous. IMO the benefits are small compared to the longterm risks so I lean towards, don’t track, just deliver “good coffee”. No need for hyperoptimalization of the coffee experience.
In your example they are only looking. It would be different if they were recording their observations in a structured manner (aka cameras). Even writing it down by hand would raise flags, would it not? Sure, being a human means looking at me and my coffee to brew it, but recording everything I do in (semi)permanent storage? Is that human? Is that necessary to brew coffee?
The problem is that there are good and bad cookies:
- session cookie: good
- tracking cookie: bad
I remember a time when browsers would ask you for every website if you wanted to keep the cookies and because most cookies were good cookies, everybody agreed to accept them. Later came the ad industry and started to introduce bad cookies.
Yeah so I run/build/maintain a platform in the public survey space and we have a feedback box for users at the end. This box is a really good source for feedback, don't get me wrong, but a lot of the feedback is "When I hit the button, nothing happens" or "Totally broken, completely unusable" both of which are useless to us. These users clearly want us to fix something, but we have no visibility on what that is.
I'm not in agreement with the top comment's cookie needs, but no. Surveys are not comparable to using analytics/tracking to determine user behavior.
Surveys measure what people say and are sporadically filled out. Cookies measure what people do with granularity and accuracy and will have near 100% coverage.
People aren't concerned about spying via survey because they're not even in the same realm of effectiveness.
Much of the math behind surveys is based on finite samples taken from infinite populations. It scales really, really well. You just have to make sure your samples aren't totally biased, which is a little more difficult. But there are ways to reduce those problems, if you're aware of how the bias is introduced.
I like this method. Earlier today I filled in some gov forms online, and at the end it asked if I'd like to do a short survey on my experience - I was happy to oblige, because I have a personal interest in service improvement.
Genuinely asking - what is the easiest method for doing this other than cookie tracking? I’m inclined to agree with the commenter above and it feels like a community of developers would sympathize with this but it seems like everyone is acting like it’s not a big deal.
The average site today is hot garbage. But now it requires several orders of magnitude more bandwidth and processing power to render. Not sure this is progress.
You are literally using a website that was created by someone who started an online storefront app in 1995. Amazon started around the same time. Google a few years later.
We do use cookies for part of the analysis, but they're not unique user-tracking cookies. Instead there's one that simply tracks a self-reported datestamp on when the user last visited, which looks something like:
WMF-Last-Access=2023-01-01,Expires=Wed, 01 Feb 2023 12:00:00 GMT
(we send a Set-Cookie for this with the current datestamp only to the 1-day accuracy, which expires ~32 days after it's set (but rounded to 12-hour accuracy), and is replaced constantly).
There's another more-recent one we use that's explicitly about differential privacy, which send back info on the hashes of the 10 most recent URLs you've visited on the site, IIRC. None of them are unique tracker hashes for a given user, though.
>which send back info on the hashes of the 10 most recent URLs you've visited on the site, IIRC. None of them are unique tracker hashes for a given user, though.
That seems highly unlikely to never be unique for some users.
The hash is keyed and rotates once a day, so it's not a long-term history. And in any case, nobody's trying to build a unique tracker out of it on the other end, which is the main thing (even in our internal analytics, we even throw away the PII we get directly from request attributes after 90 days).
You could ask people! There is hardly a site I use day to day that I couldn't send a ten paragraph rant about poor usability to the company, if that was socially permissible and felt like they'd care. There's hardly a site I use where I think the developers have ever used it themselves, or ever seen someone trying to use it, for that matter.
> "Because I can't see a user journey."
Today's worst offender was trying to follow an invite and register an account within a company account, it took me two goes through the signup form, two attempts to edit my profile, trying to login to three different subdomains, one useless search of their documentation site, three error messages, two rounds of asking my coworker to check their admin side, before I saw the right thing to do. "You" (big silicon valley company) don't need tracking cookies to "see a user journey" or to tell you that "I really love your site because I keep coming back to it and looking around", you need to grab someone in a hallway and push them through the workflow and watch them fall on their face over and over.
> "I think for a commercial site, where a degradation of 10% in user experience can tank the business"
Imagine how amazing websites would be if that were at all true. Have you seen the user experience of Amazon? or eBay? or Facebook? or 'new' GMail or new Reddit or non-websites like Teams or WebEx?
Hang on, it's not bad for me. If I visit your site, it's not because I want to participate in some kind of A/B testing (whose results you'll never tell me about). And if your site only works if I happen to have hardware X installed, you don't need analytics to tell you that your site is broken.
> European companies need to bug all users and beg for cookies.
That's nonsense. If cookies are needed for the correct operation of the site, then there's no need to beg or bug.
So your banner should be saying: "Can I please set tracking cookies that make no difference at all to the correct operation of the site? [Accept] [Reject]". Then count the number that say Accept, note that the number is approximately zero, and then scrap the banner.
> If I visit your site, it's not because I want to participate in some kind of A/B testing
Nobody wants to be part of the A/B testing; everyone wants the polished product that's the result of A/B testing.
> And if your site only works if I happen to have hardware X installed, you don't need analytics to tell you that your site is broken.
What? Yes you do, or something similar.
> If cookies are needed for the correct operation of the site, then there's no need to beg or bug.
Strictly needed. Suppose I have a dark theme slider, or a language selector, for users who don't want me to follow their OS's settings (or can't or don't know how to change their OS's settings). That's a nonessential cookie which requires the banner.
And if you disagree, your opinion is not worth a lawsuit; the only way to be sure that your use of cookies is limited to those strictly necessary is hire a very expensive european consultant.
A/B testing is the reason why websites get “optimized” for the wrong target values, typically “engagement”. It’s what drives the enshittification of the web. It’s not what users want.
This is the generic reason that is always given, but I don't think I've ever seen exactly how the service will be improved and why cookies (or any uniquely-identifying data) are the only way to achieve the desired outcomes.
My point is that it's never described. Even in the detailed options for those cookie banners that permit you to tweak things. Sure, there are (some) details about "our partners" and advertising etc, but exactly how the service will be improved is never explained.
The reason is simple and obvious: nobody knows. Companies collect data in the belief it will be useful in improving the service, but generally chuck it into a data-swamp and occasionally rake it over to extract basic info like navigation routes.
I'm also rarely convinced that improvements can't be better determined by focus groups and other similar methods.
"Improving our service" is a glib catch-all that rarely stands up to scrutiny.
There may be specific examples where a cookie is genuinely the best method to improve a feature -- in which case: name the feature, list the metrics, declare success/fail criteria, and stop collecting the cookie after the decision has been made.
You can further add bucketing, and eventually move closer to FLoC.
But this is aside the point, as the spirit of the law only allows "processing for legitimate interests". The use of technology, cookies or on the server is irrelevant. If thread OP has evaluated their collection[0] as legitimate, they can use whatever technology within guidelines. Otherwise, even a cookie less data collection would require consent.
I apologize for the double negative. What I meant is that hashing doesn't improve privacy because if you know the hash and the hashing function it's easy to build a hashmap of all the possible IPv4s (around 3.5B). Unless the hash uses some sort of expensive key derivation function, but that doesn't scale.
The hashing doesn’t matter when IPv4 has such a limited dataset. IPv4 has a little under 4.3B addresses, and a cheaper GPU such as the 1080TI has a hash rate of around 4300MH/s, so it crushes that in a few seconds at most.
From there, you have a direct correlation between the IP and its resulting hash. Meaning you can easily see what the original input was.
You don’t need to break a hash to know what the original input was.
ipv4 space is very limited and you can easily compute all the hashes. There is salting and combined with rotating salts it could work but no one guarantees that you’re not storing them
UIs were developed in the pre-web world without tracking or analytics. If you clearly explain that the cookie is for improving the UI and the user doesn't want it, it's because they don't care about it as much as you do.
Not really cookie-less and it can be considered a regression compared to cookies because of JS, but something that can work is doing stats + anonymization client-side.
You can store information client-side, without sending them over network, but randomly send digests back to your server.
For instance you can store a counter of the times the user went to visit the website, and randomly with a 1% probability send that counter to your server. (It's better to make it random, because if you send every +=1 you would end up being able to track users).
At my work, I do a lot of statistics of user usage, but I always work to do my best not to leak PII. I'm not a security or privacy researcher, so my work is probably not great but still, the way I do it I believe is largely private:
- No unique ID sent, but a daily digest (some people send every single event to their statistics server, and thus need a unique ID to know how many time one person did one action. With a digest that already counts the actions there is no need)
- bucketized persistent data: for example the available storage size of the device the app is running on. Sending precise value would make it easier to track digests from one day to the other and track users
- For booleans, add some white noise (because 20 booleans is enough to identify someone)
- For open-ended information (for instance the list of countries contacted by your SMS app), booleanize it (one boolean per country, cf previous line), and maybe keep a counter to know how many you didn't take into account to know whether you're still missing a lot.
Yes overall doing it with no PII requires much more work, but then Big Tech (and smaller techs like Clearview) clearly showed that any PII can and WILL be used against their users. The best way to never leak user's data remains to never have them in the first place.
IP address + User-Agent gives you enough data to track "user journeys" whatever this is. I'm curious, what is your favorite example of improving your website based on cookies that you couldn't do with basic IP+UA tracking?
How about tracking the users pulse while he reads your website via his smartwatch. Wouldn't that give you even more insights into the emotional journey?
My point is: You have to draw the line somewhere (and I think the GDPR line is very reasonable). If you are a business relying on having a perfect website, you can use other means like UX labs.
> I can't even say how many users this site has now.
> I cannot test new features and see if it makes users happy so they come back more often.
> I cannot see if the site has issues on some hardware, software, language. Because I wouldn't see if users affected come back less often.
> I can't test if an introduction text at the beginning helps users discover important features. Because I can't make the connection between showing the text early on in the user journey and usage of features later on. Because I can't see a user journey.
Why don't you just ask your users about these things ?
But it's not a question of PII, it's about processing for legitimate interests[0]. If you follow the guidelines then collecting and processing specific anonamised stories is not a problem, cookies or not.
GDPR isn't "about tracking", it isn't even about computers, it's General data protection regulation. If your local grocer keeps a regular customer's record on paper to give you discounts, that's covered by the GDPR.
And note Part 1 section 3 points 4 and 7: "'Processing', in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as— (a)collection, recording, organisation, structuring or storage" and "“Filing system” means any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually".
'acquiescence bias' is real but a different thing. Mischievous responders will flip their answer as necessary to screw with you, they don't just 'go down the line', so you can't simply reverse-code or use other such tricks.
Because no one wants to give up the data, and the revenue that comes with it. They just annoy the hell out of the users until they cave in and just accept it. Since it’s a law and every website has to do it, there is no competition to think of. It’s a no brainer
"We value your privacy" is usually a true statement about the monetary value a company places on exploiting your privacy, masquerading as a moral value statement.
I recently tried to disable the consent to share my data with external companies on one website.
There was "accept all" and "manage" buttons, and under the "manage" button there were 100s (yes, multiple 100s) of sites listed, each with consent on by default, and to disable everything I had to manually scroll through it all and click on each item.
My main problem is cross website tracking. I don't really have a problem with a website keeping track of all my visits to that particular website.
I think it works similar in real life as well. You don't mind if a store clerk recognises you coming back to a shop. But you would be kind of creeped out if he also knew where and when you last visited your dentist.
I'm fine with them keeping my purchase history for example. And then maybe even sending me offers based on that. Now tracking what I viewed or browsed on their site get bit harder.
I'm more curious about the question of 'who wants free content'.
Because that's really the question here. Would I prefer everything in my life was free with no strings attached? Obviously.
But youtube/news/reddit/facebook/literally any website needs to make money somehow, and non tracked ads pay rediculously lower amounts(90+%). So the real question is, would you trade what is essentially anonymous tracking (literally no one at Google gives a damn who you are, it's just a unique id fed into an algorithm) for content, or would you rather pay for each and every site on the internet?
Your dichotomy ignores other possibilities. To what extent are we stuck on costly distribution models specifically because those are the ones you can tap for a revenue stream, to what extent are the costs driven by the monetization itself?
I used to help out with the technical infrastructure for wikipedia and even as the 8th most trafficked site on the internet the cost was radically lower than that of some of my dayjob customers with comparable levels of traffic. A non-trivial part of the reason for that was that it didn't need all the surveillance and realtime per-request bespoke generation that advertisement encumbered services require. Part of it was just that there is an awful lot of fat in big commercial operations, since they have enough revenue that it's not a concern. Some is probably because when you're chasing ad dollars the extra spend required to get a 30 ms response instead of a 60ms response might be justified on the basis of the marginal clicks it generates, but those costs shouldn't properly be considered part of the underlying distribution costs.
I think "yes, I'd be happy to pay for all of it" would be significantly more attractive if paying meant just the component of the cost that actually went to the authors of the material -- on the order of a hundredth of a cent per view. Here is $1, that'll cover the authors share of all my household's youtube viewing for the next several years.
I’m happy to enter any sort of transparent business transaction of information-for—content or money-for-content.
But that’s not what the adtech web is, and that’s why it needs to die.
I’d be absolutely delighted to see 99% of ad funded content and services wiped off the face of the web tomorrow, even if a lot of it is stuff I use and enjoy. Which is why I’m bullish on “nuclear options” for regulation such as binding DNT to GDPR, or making opt out default and not even allowing pop-up opt in, or suing a few large companies into
bankruptcy for using consent dark pattens or other slight violations, just to make an example.
Because it’s not that ads would be banned by that. It’s tracking and micro targeted ads. And while ads may be necessary to provide “free” services, we need to get away from the idea that the only ads worth showing are ones with precise targeting and advance led fraud countermeasures.
I'm told that this is how cable used to work. Ads aren't just a necessary annoyance that goes with no-fee products, it's a way to turn users into money and so will be with us no matter how much or little we're asked to pay.
The model of regulation-compliance is this. It's not really about the specifics. Consent, privacy, kyc... Those may be initial motives for regulation, but by the time these exist in the world, they are a set of standard, rigid "compliance" protocols.
From formulation stage, it allows two parallel realities. One in which "consent" or whatnot have an intuitive meaning. Politicians and activists live here. One in which "consent" is a specification for a compliant "3rd party solution." Businesses live here.
Once functional, the bank, website or other complying business can claim the rules were made up by the regulator, and the regulator can either claim to be successful or blame businesses for problems. Being unremarkable, by copying or using 3rd party comliance plugins is more important than respecting the regulation's intent.
By the time consumers are affected, "consent" has a technical specification. It no longer has much actual meaning.
Think of the hoops, paperwork, informed consent signatures and such that you deal with at a bank. All those things had some regulatory logic behind them initially. Employees at the bank think this is government-required paperwork. What it is is compliance.
There's a special place in hell for the originators of this Orwellian triple-speak. Three meanings overlapped: meant to give users the impression that "we respect your privacy" or "we protect your privacy"--but it doesn't say that. It says they value your privacy, which is literally true; they're happy to put a dollar amount on it and sell or mine it, because it's of value to them. That's two true senses; one inferred and one real. But the second gives rise to the third, Orwellian meaning: these people actually don't value your privacy at all. It's a lie, pure and simple. A special kind of lie that has such a flippant, corporate-speak, technically-accurate dry meaning that is meant for a court of law--it holds up when lawyers start arguing long technicalities before a judge--but just one level deeper it is despairingly careless and dystopian.
When I see this phrase I just know I don't want whatever it is these people are going to do with my data. They benefit and I don't.
This is a great way to unpack that phrase, thank you! I started the article with that phrase because of the insincere absurdity of it exactly as you describe.
As a successor of Do Not Track, there is Global Privacy Control (GPC) [1]. Sites must respect it by law in California. An increasing number of other states ---Colorado, Connecticut, Montana, and hopefully more soon --- also have provisions in their new privacy laws for privacy preference signals like GPC. You can check if a site respects GPC [2]. For example, lego.com and nfl.com are two bigger ones I recently came across.
Disclosure: I am a privacy researcher and co-founder of GPC.
We use zero cookies on our website, so we have no consent banner. But people got so used to seeing "cookie consent banners", that we are considering introducing a "no cookies here" banner.
For some cookies, basic session management for instance, you don't need a banner anyway. Many sites want people to believe it is needed for necessary cookies, but that is either because they want the public to be against all the warnings (so they can go back to silently tracking everything) or because they have a very skewed idea of what necessary means in this context.
In most cases sites could just use necessary tracking without permission but seek explicit opt-in for the rest. They won't do it that way of course because most people won't op-in unless nagged or conned into doing so.
(the other reason for consent questions where they are not really needed is people playing safe lest they have to defend the lack of a consent form in legal court or the court of public outrage)
Maybe people just goes to the cheaper option available because increasing inequality has left millions with no disposable income.
This is the same logic by which people prefers cheap furniture instead of high quality one. It is not a preference for cheap but it is just what they can afford, if they had more money most people will get the higher quality version and pay the price.
> Maybe people just goes to the cheaper option available because increasing inequality has left millions with no disposable income.
No disposable income would mean not being able to spend money, meaning never buy anything. If this was true the ad industry would very quickly run bankrupt. And yet the revenues of Google and Facebook indicate otherwise.
Even without disposable income, advertising can still lead to people choosing alternatives and directing their spend someplace else, so your conclusion does not follow. If someone is maxing out their income they can still be advertised to to get them to switch consumption habits.
94% of people want me to be president. Caveat: I did not define what it means for them to want me to be president.
In other words, what does it mean to be "tracked"? How was the question worded? You can change this value from 1% all the way up to 99% depending on how you ask the question, because "being tracked" is open to interpretation.
Hi, the exact wording on the poll was
"If given the option, I would prefer not to be tracked online."
The reason why I didn't define "tracked" for the people taking the poll is that I think that's the most representative way to replicate the question that consent boxes are theoretical asking, but in an abstract way out of the context of a specific website. When a user sees that consent box, they have little to no idea of what tracking is actually happening.
Hmm, I guess that's a good rationale, but unfortunately it's still useless. I believe that websites adopted the simplistic "don't track me" language because they want to appear to be embracing the law. I've asked a lot of people (> 100) what it means to them to be "tracked" and they have no idea what it means, but they're afraid of whatever it means.
I don't understand why we still don't have a standard for a built-in tracking preferences system in browsers. We have that for the microphone, webcam, and location access... why do we let websites control tracking preferences with their own design they can make as obscure and manipulative as they wish?
Because there are legitimate uses for cookies etc. that do not require consent, like for example for shopping carts. But you can’t distinguish them from consent-requiring tracking in an automated fashion. In addition, there are finger-printing techniques that are virtually impossible to prevent, so websites would just start to rely more on those. It’s a bit like asking “why don’t we just block spam mails?”
This is a misleading statistic. Most people will not care if I implemented a view counter on my website that uses a cookie to prevent the same user as counting as multiple views.
I agree that most people would not mind that scenario, the issue is that that scenario requires the same consent box that the most invasive adtech would use and it's far too onerous on the user as things are now to discern the difference.
I have a notion to test cookie banners, to check whether it makes any difference whether you [Accept] or [Reject]. I strongly suspect that for many sites, it doesn't.
Many sites seem to be offering a choice of [Accept] or [Settings]. I've never clicked on [Settings]; it might as well lead to a goatse, as far as I care. I don't want to choose options on a cookie banner at all, so why would I opt to see a complete separate page of options?
From their site:
"In most cases, it just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do). It doesn't delete cookies."
I was assuming they do a lot more hiding (which means declining) than accepting (if at all in practice). Do you have more information about this?
You still have to find filter lists that work though. I use uBlock origin and frequently run into problems where cookie popups are half-blocked - the dialog is no longer visible, but I still cannot interact with or scroll the website. To work around that, I have to deactivate uBlock's cosmetic filters so that I can see the dialog again, then deny cookies. Pretty annoying, I haven't found a setup that fixes that.
Most of the time I have JavaScript disabled as well (only for specific sites and in Private Browsing windows do I have it enabled), which will slightly confound this anecdote, but I believe it was mid-2020 when I last encountered a site that uBlock Origin plus cookie-banner-blocking lists broke the page in the way you describe, and only ever a very few times before that.
Extension named something like Behind The Overlay fixes similar cases for me, it gets rid of anything overlaying the page blocking inputs. Exceptionally effective
the consent charade is a constant reminder that the modern digital economy is based on large scale deceit and is therefore fundamentally unstable.
yet nothing is done about it, as if it is not important, as if digital tech is not the main, if not only, "driver of future economic growth".
you cannot build a stable economy (well at least not of a democratic, free market kind) relying on complete ignorance and regulatory capture.
anybody who has leverage on the matter and is not doing something about it is complicit in a gigantic, generational level misallocation of resources that will eventually have to be written of.
They exist because they’re required to through applicable laws. The companies want tracking for additional business data and very rarely actually are about the users.
Does someone know why it is legal that in some countries websites are allowed to offer layers that offer a paid version and a tracking enabled version (very popular among newspapers)?
As far as I understand the GDPR, there should be no downside to rejecting the tracking technologies. And Websites relying on advertising, could do so with unpersonalized ads (granted with very different metrics).
Nevertheless, to me it feels, like these paid vs tracked offers are not what the authors of the GDPR intended.
You mustn't reject service based on refusal of non-legitimate-reason data processing consent. Allowing paying to not have ads is orthogonal to the service being provided - in both cases the user gets the news, it's just flanked by ads in one case.
Well, I don't have a problem with the paid version. What I have have a problem with, is the refusal of service if I don't consent to being tracked. So if there would be three versions, like 'personalized ads with tracking', 'tracking-free/unpersonalized ads' and 'paid ad-free', that would be fine with me.
What I don't understand, is that it is okay to refuse the service if you don't consent for the ad-supported tracking version. I mean, not giving your consent, means you have to pay if you want to use the service. Doesn't feel like you have a free choice (pun intended).
Why did nobody tell the GDPR folks to require websites and browsers use one standard interface for the permission updates? It could have been so simple. Just let the browser prompt me so I can tell the browser once and for all what I want. Instead it created a website UX virus.
IMO the only good thing is it made people aware of what's happening with their data online. But then we are still tracked, the web experience is much worse, SMEs got another "screw you" from the regulator by increasing their operating costs to comply with this and big companies who were to blame for this in the first place found ways to bypass it because they have access to strong legal expertise.
I think the GDPR creates benefits in more areas than you may be aware of.
For example I used to work for a hosting provider. An admin noticed that one of the hosted customers had customer data exposed to the internet without a password. Due to the GDPR he was forced to contact the customer about it, or our company could be held responsible (since we knew about it).
That law is at least an attempt to fix an existing problem. So this is like blaming someone who made a subpar raft for the flood that required the raft.
I'm with you, these prompts are garbage. But they are better than no prompts, because companies are greedy af and they will track. Fixing that is a much larger issue than the bandaid of law.
The GDPR is on the whole a very successful law which has improved the way companies handle personal data a great deal.
What you are objecting to is specifically the part of that law which mandates consent for gathering personal data, and which resulted in these cookie banners. That's annoying (mostly because a lot of media companies rather continue hovering up data instead of critically assessing the need to do so), but it doesn't invalidate the better parts of the GDPR. Calling it a complete failure is unnecessarily hyperbolic.
Also the Cookie Banners work, I have installed multiple, and Google Analytics has become completly useless. We now see from stats that only ~20% people accept Google Analytics tracking. This has lead to new market of trackers that doesn't require banners, for instance based on User agent and IP hashing from logs.
What is unfortunate that law puts the onus on implementing the dialog for individual sites, it should be feature of browsers. This way users could enforce from browser settings that they don't want to be tracked.
Consent is only one way for obtaining a legal basis under the GDPR.
And the consent banners are industry's own inventions. They could have honored do-not-track and be done with it. Instead, they opted for these dark patterns.
It's the classic corporate dark pattern to undermine regulations.
Choose the most disruptive, asinine way to comply with them. Then argue that the regulation is at fault, and lobby to have it removed.
For example, there's been plans recently in Norway to tax the salmon farming industry more heavily. The response from the industry has been to pretend that this will completely decimate the industry(we'll have to fire tons of folks to protect our massive profit margins hurr durr), which the numbers don't seem to bear that out. But now they've managed to convince the workers and they've been protesting to "protect their jobs" when they're actually just being used as pawns to protect a billionaire from taxes.
There's 6 legal basis under GDPR, but that's irrelevant for cookies (or anything that allows you to store or retrieve information on the user's device, really), because they're covered by the older ePrivacy directive. If a cookie is not “strictly necessary”, consent is required.
It still feels like these dialogues are really only something lawyers could think is a good solution to companies employing invasive/overbearing uses of customer data.
My gut feel is that most users don't understand what "tracking" really means and simply want to enjoy digital experiences without having to engage with the "what & how" that comes with modern platforms. My partner (and I reckon many other "normal" people) loves the ads on Instagram and enjoys the personalisation on YouTube & Netflix.
The current solution of "be transparent and it's okay" just forces decisions onto consumers that they do not want. The "good" solution outlined in this article (accept/reject) is a big yes or a big no – a green light for everything vs a red light for nothing.
There needs to be further regulation in this space that defines legal vs illegal uses of user data beyond the principals laid out in GDPR. The regulation should aim to define the "what & how", relieving the burden of choice from users and removing this "consent and it's okay" loophole for invasive use of data.
