
Tell HN: I wish “we use cookies” messages could be globally turned off - hoodoof
An irritating notice that websites keep telling me because of some European law I have no interest in.<p>It&#x27;s like saying &quot;this website uses HTTP, we do it to get data to and from your browser, click to agree&quot;.<p>Maybe the major web browsers should built a standard warning Javascript alert API in that can be globally turned off.
======
vincentdm
I also used to hate this directive, but when I read the description on the
website of the European Commission, it is actually much more nuanced than I
thought:

"However, some cookies are exempt from this requirement. Consent is not
required if the cookie is: used for the sole purpose of carrying out the
transmission of a communication, and strictly necessary in order for the
provider of an information society service explicitly required by the user to
provide that service." Source:
[http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#se...](http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm#section_2)

So it turns out the directive isn't as dumb as many believe it to be, but a
lot of webmasters wrongly believe that any cookie usage implies having to put
up the notice. (Or the nuance was lost on the in-house legal team who briefed
the webmaster.)

I run a software-as-a-service company in the EU, but only use cookies for
login management. Therefore, I do not need to use the warning. But if I would
track my users for advertising etc. I'd have to insert the warning in my web
app.

This thoughtless behaviour reminds me of the thousands of websites which
include a "(c) YYYY" copyright notice in their footers, despite this being
completely irrelevant in modern copyright law.

~~~
danmaz74
Yes but as soon as you use Google Analytics, you need to include the notice.

As a EU citizen, I think this example shows how stupid laws can come out of
good intentions. Why stupid? Because, no matter what the intentions were, the
_only_ practical effect is creating a nuisance for web users, who quickly
learn to ignore the consent requests.

~~~
0x0
I never understood why they didn't force the requirement onto browser makers
instead of website operators. Then users could actually enforce their cookie
choice by opting out, instead of having to trust every website to be honest in
their cookie use.

~~~
tfgg
And browsers have had such options (block all cookies, prompt to accept, etc.)
built in to them since the very beginning of cookies, except everyone turned
them off because they were annoying! So now websites had to add them! And they
are just as annoying! ARGH!

A more useful directive would have been some sort of legally-backed "coloured
cookie" type system, where a cookie has to declare for what purpose (session,
internal analytics, adverts, site-to-site tracking, etc.) it's for, so
browsers can then selectively block those categories. That would be useful,
because then you could punish people who lie about the purpose of their
cookie.

~~~
0x0
Sounds like the misguided P3P "standard" that IE implemented which AFAIK only
resulted in web developers copypasting a HTTP header they don't understand
just to get facebook widgets working.

------
jvdh
The idea behind this proposal was a noble one: companies should ask permission
before invading the privacy of consumers.

Unfortunately, companies collectively decided that their businessmodel does
not need changing at all, and simply implemented a "cookie wall" for all their
consumers. This led to consumers, like you, to quickly get "cookie wall
fatigue" and try to click 'OK' as soon as possible, without thinking at all.

And all the while, we complain that privacy on the Internet is going to hell,
and there is nothing we can do about it, because consumers don't care enough,
or have given up...

~~~
fla
The idea was noble, but the law was poorly done.

If you want to have a Remember me checkbox (=writing a cookie with a session
id), you'll have to get the user autorization. It effectively protects from
nothing, it justs makes more popups in everyones life (yay!).

I think we are living in an era where there is a huge knowledge and perception
gap with the people making the laws (At least in Europe). Hopefully this gap
will narrow in the next 10-20 years, and things will be shapen more correctly
in the future.

~~~
jvdh
The Netherlands has seen some refinement of the cookie law, and there are some
sites, for example [http://www.ns.nl](http://www.ns.nl) where you now have a
choice in what kind of cookies you want to allow.

Again, companies are trying very hard to hide this choice, but a tiny result
from the study is that you do get this choice.

~~~
fla
Even more popups, choices and waste of energy if you ask me :)

------
SmellyGeekBoy
> ...because of some European law I have no interest in.

Nobody in Europe does either. The whole thing is generally considered
completely pointless and unenforceable.

~~~
jon-wood
I think Rock Paper Shotgun's cookie warning sums this up nicely:

> Rock Paper Shotgun uses cookies. For some reason we are now obliged to
> notify you of this fact. Not that you care.

~~~
berdario
While funny, RPS is disingenuous:

after visiting RPS, you'll get cookies from the following additional domains:

    
    
      - adaptv.advertising.com
      - adjs.net
      - b3-uk.mookie1.com
      - mookie1.com
      - doubleclick.net
      - iasds01.com
      - m6r.eu
      - mathtag.com
      - quantserve.com
      - scorecardresearch.com
      - openx.net
      - adnxs.com
    

This might change depending on location and time of when you visit it.

I can see how you might think: "who cares if Google Analytics tracks me?
Google already has all my web searches", but it's not that simple... every one
of these entities can share information about your visits with any other
(search for "cookie matching"), and yet... with a visit to a single (!)
website, you're loaded with cookies from 12 external different domains, all of
which have the exact same purpose.

Personally, I never cared that much about privacy (or at least, this kind of
privacy) but now... if only out of spite... I disable storage of 3rd party
cookies in my Firefox.

So it's not only a matter of privacy, but also a matter of respect for the
(your) user:

as a videogames site, you can easily (?[1]) provide advertisement targeted
only to your main audience (for advertisement metrics and fraud prevention,
the advertiser could just use the referrer and ip of the source, at least for
a first approximation)... so it's not true that giving up (tracking) cookies
would prevent advertisement

OTOH: by including random 3rd party javascript (and not simply static
resources like images, css, etc. with their own tracking cookie) you are
completely leaving your user to the good faith of these other companies, which
are then able to use javascript to load other resources, and so on and so
on... reselling your visits to other companies again

Not only is this wasteful and never done according to the explicit will of the
user, but since the visits span multiple domains, this is something that not
even HTTP2 will be able to help for.

Lastly, I think it's antithetic to the very original purpose of HTTP: HTTP
nowadays is used for webapps and plenty of different things, but reading
articles, seeing images (and possibly videos, just like on RPS) aligns quite
well with the original purpose: downloading and transmitting simple documents
or data thereof

Cookies are a way to circumvent the stateless nature of HTTP, but why
shouldn't a news site like RPS be stateless? (the exception would be for
comments, but that isn't necessarily always true either, and anyhow for that
the issue is more nuanced)

[1] I have never done it, but I hope so... I hope that inserting adwords is
not the only way

------
blfr
There is a list for adblock[1] with our own mike-cardwell contributing but it
doesn't have the kind of coverage you're used to from ad lists.

[1] [https://github.com/r4vi/block-the-eu-cookie-shit-
list](https://github.com/r4vi/block-the-eu-cookie-shit-list)

~~~
pricechild
There is also
[https://raw.githubusercontent.com/liamja/Prebake/master/obtr...](https://raw.githubusercontent.com/liamja/Prebake/master/obtrusive.txt)
which I use to great effect in uBlock Origin.

------
pnt12
Another unfortunate aspect of this law is that it is especially annoyng for
those who delete cookies after leaving a website or closing the browser. Since
the users acceptance of cookies is stored in a cookie, I get that pop-up
repeatedly on most sites, instead of once for each.

------
theandrewbailey
Using NoScript works wonders. In addition, I rarely see the annoying "Sign up
for our newsletter" popups that assault immediately on most sites.

~~~
reustle
You could browse with Lynx, then you wouldn't see any annoying images

~~~
theandrewbailey
Wow, what an impractical suggestion. At least scripting is possible with
NoScript, but images are impossible on Lynx.

~~~
fixermark
Hey, watch it. I use Lynx all the time. It's fast, and works in my terminal.

it's also super-incompatible with a lot of websites, but I know that going
into it.

~~~
72deluxe
I also use it in a console when needs must. Using dillo over SSH/X forwarding
is painful sometimes (particularly as dillo wouldn't compile due to bust FLTK
source).

------
carlesfe
We wish. Us European webmasters REALLY wish.

It is unlikely, however, since it is a EU directive and is now law in most
European countries. Here's my take on why it is totally idiotic and ignorant
of the underlying problem: [http://cfenollosa.com/blog/the-ignorant-eu-cookie-
law.html](http://cfenollosa.com/blog/the-ignorant-eu-cookie-law.html)

------
nailer
'I don't care about cookies' for Chrome:

[https://chrome.google.com/webstore/detail/i-dont-care-
about-...](https://chrome.google.com/webstore/detail/i-dont-care-about-
cookies/fihnjjcciajhdojfnbdddfaoknhalnja)

It's $FREE too.

~~~
r1ch
And it only has access to all your bank logins, emails, passwords and more!

~~~
72deluxe
That blanket message appears to be another way of wording "it has access to
what you type into a browser" (plus an Internet connection).

Who would have thought that the browser has access to what you type into
it???? Surely keyboards should come with massive warning stickers to highlight
the danger.

------
TamDenholm
Relevant:

[https://silktide.com/the-stupid-cookie-law-is-dead-at-
last/](https://silktide.com/the-stupid-cookie-law-is-dead-at-last/)

[http://nocookielaw.com/](http://nocookielaw.com/)

~~~
petercooper
Relevant, although mostly just to the UK. The ICO in the UK generally only
goes after "worst offenders" or the biggest companies. This means anyone under
a certain size can either ignore most of the laws they enforce or at least
only bother to resolve the issues when ICO chase them up.

------
userbinator
I really wish the other browsers would have something like this to quickly
turn on/off settings for specific sites:

[http://i.imgur.com/9qvdOfW.png](http://i.imgur.com/9qvdOfW.png)

(Opera, before it turned into yet-another-webkit-browser - and _removed_ that
very useful feature.)

Since I have JS (and cookies) off by default I don't get the cookie messages
much if at all, but for sites which need JS or cookies, it's almost trivial to
enable them immediately.

~~~
amyjess
I _really_ miss Opera's site-specific settings.

IMO, the web has gotten considerably worse in the last few years.

~~~
aw3c2
I highly recommend gorhill's umatrix, it's perfect. Alternatively you could
give this a try: [https://addons.opera.com/en/extensions/details/site-
specific...](https://addons.opera.com/en/extensions/details/site-specific-
preferences/)

AFAIK Firefox also has site specific settings hidden somewhere but I am not
sure.

RIP Opera 12... I wish they'd just freely release the sources.

~~~
userbinator
Firefox _had_ site-specific settings...

[http://www-archive.mozilla.org/projects/security/components/...](http://www-
archive.mozilla.org/projects/security/components/ConfigPolicy.html)

...and there was even a bug to create a nice UI for it...

[https://bugzilla.mozilla.org/show_bug.cgi?id=38966](https://bugzilla.mozilla.org/show_bug.cgi?id=38966)

...but look at the last comment on that bug. :(

Interestingly enough, IE11 still contains much the same UI for
white/black/default-listing sites in different zones with configurable options
that has been there since at least IE4:

[https://support.microsoft.com/en-
us/kb/174360](https://support.microsoft.com/en-us/kb/174360)

~~~
aw3c2
Typical. I guess someone needs to implement the functionality as proprietary
website then Mozilla could add it back in!

------
phkahler
IMHO browsers never should have gotten cookies in the first place, and they
certainly shouldn't have ever allowed them to be accessed from different
sites. Sure, it's very convenient for a site to recognize you when you return,
but there are other way to get much of the way there.

But hey, rather than scaling back HTML 5 includes a client side database! WTF?

~~~
fixermark
Out of curiosity, what would you have recommended, had you been on the web
steering committee at the time?

~~~
phkahler
>> Out of curiosity, what would you have recommended, had you been on the web
steering committee at the time?

Cookies should have been _at most_ a GUID for a single session on a single
server.

With a little dynamic content you can put a session GUID in every link on a
site and not have anything stored locally on the users machine. Back in the
day this was a more significant problem than it would be today. Note that this
would also preserve the user ID in bookmarks. Also, it really begs for HTTPS.

There are probably other ways to do these things, but people will either claim
they are inefficient or just keep their blinders on and make excuses in favor
of the status quo. Of course many of the alternatives could probably be abused
as well, it's just harder.

~~~
fixermark
That might very well have legs. I wonder how one would support keeping a user
logged in across sessions, but that might still be a solvable problem.

------
sambe
I'm failing to understand the supposed nobility some people are commenting on.
99% of people don't understand or don't care anyway. Annoying and confusing
those people is not noble. The people that do care will likely find that
turning off cookies break their favourite sites, so the warning is not
practically actionable.

Some sites now offer me the choice of cookies, the choice to participate in a
quick survey, a choice to use the iOS app, another iOS app choice that is
identical to the first, the choice to instantly connect to a live customer
service representative and no choice about watching a partner video. Might as
well bring back all the animated GIFs and marquee text.

~~~
manigandham
This can be said of lots of other issues like Safari's war on internet
infrastructure by banning 3rd party cookies for no reason. Cookies are a known
entity, easy to check and easy to clear, not to mention they also held opt-out
status for all those networks that offered it. Progress should be
understanding and choice, not brute force approaches like these that just
fatigue users and undermine the entire cause.

~~~
michaelt
Users who don't like Safari's privacy defaults can just change them, though.
If you like understanding and choice, why not let users understand and choose
turning third party cookies on, instead of turning them off?

~~~
manigandham
The defaults are the issue, by going against the greater convention on
something that only a few minority really have a big concern with. None of the
other browsers do this and it hasn't really led to any privacy benefits,
rather it's increased the level of tracking from something that was easily
controlled and understood to now fingerprinting and even ISP level
identification.

------
glimmung
The original requirement was for sites to obtain "prior informed consent", and
this is essentially impossible - you cannot educate a user about the
implications of cookies in a pop-up.

Further, the ICO here in the UK refused to provide meaningful advice as to
what was actually required, so it's far from certain that these pop ups are a
legal requirement anyway. We use them if the client wants them, but otherwise
we simply make sure there is a "Cookies and Privacy" link in the footer that
interested users can follow. I'm sure one day some jobsworth will tell me I
need to join in this charade, but until that happens, no pop ups from me...

------
ikken
It's not only a distraction but outright dangerous. People got used to accept
every banner with word "cookie" in it. There were cases in Poland where
scammers would add "and I subscribe to X and will pay Y monthly" onto the
cookie banners and then send invoices to customers (as long as they could get
their address, e.g. when they came via email link).

------
aethertron
These annoying messages are a bad attempt to follow a bad law. But to just
block these messages in the browser seems like a bad approach. The point is to
get informed consent to write+read cookies from the user. One could argue that
the act of installing a plug-in for this purpose = implicitly consenting to
accepting any and all cookies, but that seems like a weak inference.

Given the law, it would be better to be able to pre-emptively, explicitly
blanket-consent to all cookies, or specific types of cookies (e.g. analytics
tracking, or saving user settings) in one's browser (or at first, before it's
standardised, with a plugin).

Of course, this solution would require web developers to follow certain
standards in implementing their cookie-consent-getting method. (It would have
been even worse if they tried to legislate this from the outset.)

------
guigar
I propose a new "standard" role="bullshit" to the W3C. Developers around the
world could use it to mark those bullshit fragments of their pages. Users
could filter them with a browser plugin "Bullshit Block".

------
Aoyagi
I would actually love it. If it worked. As it is, all it says is "by using our
site you agree to everything" while you already have a ton of cookies from god
knows where implanted into your browser.

------
owenwil
I just moved to Europe and this started annoying me to no end. Thankfully,
this Chrome extension kills them all
[https://chrome.google.com/webstore/detail/i-dont-care-
about-...](https://chrome.google.com/webstore/detail/i-dont-care-about-
cookies/fihnjjcciajhdojfnbdddfaoknhalnja?hl=en-GB)

------
golemotron
WARNING: This website contains cookies known by the State of California to
cause cancer, and birth defects or other reproductive harm.

------
evantahler
so... has anyone made a chrome plugin to just click all the buttons yet?

We can keep a list of [ webistes -> $('#TheCookieDiv').click ] - commands
which we keep on github and shake like homebrew does (`cookieThing update`
could be run daily)

~~~
evantahler
On a legal note, I would imagine we could say "By using/downloading the
plugin, I opt into all cookies, all the time"

Companies would like this too because they then could keep doing _exactly_
what they are doing (to be complaint), but perhaps we could convince them to
add a file to their websites specifically for our tool to look up the DIV.
Something like www.site.com/cookieAcceptDiv.txt which would list the clickable
region to suppress the pop-up

------
pmontra
As web developer and user of web sites I feel your pain but for the small web
sites it's a matter of better being safe than sorry. Some countries have
pretty hefty fines against sites that send cookies without notice.

------
pskocik
What's the point of having a pop-up that tells you "this site uses cookies"
when tools can tell you exactly that without the webdeveloper's having to make
a single modification to the website?

------
ymse
The most annoying part is that blocking first-party cookies (e.g. with
µMatrix) causes this message to appear _every time_ since you are not sending
your "consent" back to the server.

------
jebblue
I wish cookies could be made completely illegal worldwide. You want to track
me, use your database should I choose to create a business relationship with
your site and login.

~~~
JoeAltmaier
Sites can now use server-side cookies, where different sites even share info
they glean from you. So they can auto-fill forms because you filled out a
similar form on another site. Your browser is no longer complicit in 'cookie
storage'.

What can be done about that? Its not unreasonable for vendors to keep and
share information. Its not practical to have personal control over what
they're doing up there in the cloud.

~~~
patrickmn
That too is subject to the EU ePrivacy Directive, so the idea is you're
supposed to be able to report someone who does this to your national
ombudsman, like the ICO's office in the UK, and they'll fine the offender.

The language in the ePrivacy Directive always talks about tracking terminals
(devices.) It's not just about cookies, or browsers. You need the user's
consent to track their device, period. (However you don't need consent for
e.g. basic cookies that are necessary for a site to function, and which aren't
used for tracking.)

~~~
JoeAltmaier
I'm wondering if 'cloud cookies' are tracking the device, or tracking me. E.g.
if I enter my name and address, it fills in the rest from the cloud. Maybe
that wriggles through because there's no device tracking.

~~~
patrickmn
That doesn't really sound like tracking, though.

------
kaugesaar
It's funny how many sites have that "I agree"-option. Because they still put
15 cookies on my computer before I even agree to it.

------
Kiro
I don't understand why websites have these at all. Have anyone ever been fined
or anything for lacking one?

------
fennecfoxen
Javascript alert API? And not just an X-I-consent-to-your-use-of-cookies HTTP
header? Please. :b

------
thatgerhard
This is another example of old corportate red tape getting in the way of
progress

~~~
fixermark
New corporate red tape. ;)

------
gesman
...or autoaccept TOS that no one reads or cares about.

------
teddyuk
I'm in the EU so stupid EU laws apply to me and it is irritating, just forget
it EU, no one gives a shit about cookies. ( I obviously talk for everyone in
the EU)

------
eueueu
If you are in the UK, please vote to withdraw from the EU. This sort of
meddling into every minute detail of our lives is only going to get worse.
(See also banning vacuum cleaners and light bulbs). Also checkout cars that
aren't powerful enough to go up hills due to trying to meet EU emission laws.

~~~
efdee
Or making porn opt-in on the internet. Stupid EU. Oh wait.

