
Prebake: Block EU Cookie Notices with Adblock - rcarmo
http://prebake.eu/
======
Udo
This whole thing is ridiculous. While adding these widgets to blocking filters
seems like a workable short-term solution, the entire cookie notice scheme is
unworkable in the long run. The problem is, this crap will stack up in the
future, and none of it will ever get abolished. On some sites, I get a triple-
stacked legalese warning banner, and I have to manually close all three of
them.

Since internet law will only get worse, maybe it's time for a "real" technical
solution to this. For example, if we had a standardized HTML element attribute
to mark these widgets, browser/adblock makers could enable people to opt out
of displaying them. It might look something like this:

    
    
      <div legal-notice="cookies">...</div>
      <div legal-notice="DMCA">...</div>
      <div legal-notice="terms-of-service">...</div>
    

And ideally, there would be a JavaScript API to query this as well, maybe
piggy-backed on the Permissions API:

    
    
      navigator.permissions.query({ name : 'skip-notice', topic : 'cookies' })

~~~
blub
Why block them? It's good that websites have to be more transparent with how
they are tracking users.

It is however inconvenient for the websites. They could always stop using
privacy-invading ad networks and external services which track users and then
they wouldn't have to show any message.

~~~
benihana
>They could always stop using privacy-invading ad networks and external
services which track users and then they wouldn't have to show any message.

"if these companies would just invent and build a new infrastructure to pay
the bills, they wouldn't need to present a nag."

~~~
blub
EU citizens are under no obligation to support business models that have a
negative effect (be it small or large) on their lives, nor are they obliged to
make it technically convenient for companies to conduct their business.

There are many business models which do not come with moral dilemmas and that
do not fall under the incidence of this law. Data mining and tracking might be
trendy, but it's not a free for all, there need to be rules and the privacy of
users must be respected. If some companies are unable to do fulfill these
basic and fair requirements, that is strictly their problem.

~~~
efdee
You seem to be ignoring the fact that this is about users not wanting to see
that silly notice, not about websites not wanting to display it.

------
skrause
This stupid cookie notification law was actually the main reason why I had to
enable cookies permanently. My browser used to delete all cookies at the end
of the session (when I closed the browser) except for a few whitelisted
domains.

Then these notices popped up everywhere. So where do the sites store the
information that you've already seen the notifications? In the cookies of
course! So if you're actually serious about your privacy and delete cookies
you will the the notices every time...

------
belorn
The reason that the EU cookie law broke down is that directly after the EU
directive was issued, several lawyers from large companies changed their
interpretation of an older 1995 directive that dictate how consent is given.
The directive says that consent require " _specific and informed indication_
", but lawyers from very large companies decided that the act of continuing
using a website _was_ the same thing as giving "specific and informed
indication", thus users agreed to whatever policy or agreement that is linked
in the banner.

I visited a conference during that time which had a panel where those lawyers
was discussing this and even brought up a question if a person really could
agree to 20 pagers of policy document from the mere fact of just continuing
using the website, and their collective answer was _yes_ (through one agreed
that 30 pages would be too much). To my knowledge no legal case has ever
tested this, and thus we got this ridiculous cookie notice system where things
has gone from bad to worse after the 2002 directive.

~~~
facepalm
Thank god, ehm, the lawyers: otherwise we would not just have annoying
banners, every page would start with an blocking dialog. No thanks.

~~~
belorn
You assume that every page need to have tracking cookies or that a websites
would choose to have a blocking dialog if that was required in order to store
and accessing information on users’ equipment. Even if we do those
assumptions, its not a good result for anyone and there need to be some peace
rather than war between the industry and politics, and making the concept of
consent meaningless is a very risky move going forward.

~~~
facepalm
Afaik you need it if you use Google Adwords. Not sure if Adwords could be
changed in a compliant way.

I recently started out to implement the cookie header on my site, and
discovered things are rather unclear. For example, couldn't Google somehow get
global consent for all Google Ads?

There also doesn't seem to be a way to ask for consent and only trigger Google
Ads if consent is given.

Maybe there are some things that Google could improve to alleviate the
situation. But advertising probably also depends on at least a little bit of
tracking.

If they (the politicians) want to outlaw online advertising, maybe they should
just say so directly?

------
liam_ja
Hi HN, I'm the creator of this filter list.

If anyone can spare 5-10 minutes a week to help me and a couple of others
maintain this list (testing and merging pull requests, closing issues, etc.),
I'd be very appreciative!

You can contact me here or send an email to cookies[at]prebake[dot]eu

~~~
cpeterso
If an extension like Prebake (which I realize just a filter list) added a
'DNT: 0' HTTP header ( _Do_ Track instead of Do Not Track), then automatically
dismissing cookie notices would be a "legitimate" new solution and not be
"cheating" (as some might call it). If the user _also_ runs a ad or tracker
blocker, well, that's their business and a different problem. ;)

------
vruiz
This is great not just from a user's perspective, also the fact that it exists
helps pointing out the stupidity of the law.

~~~
cornewut
I think law is fine and there should be only a handful of sites in the
Internet that would need such warnings.

Problem is the abuse of technology to track users.

~~~
vruiz
Even assuming that law was necessary (debatable), the idiotic thing was asking
millions of websites to do this, instead of automatically in a handful of
browsers. Not to mention absurdities like the fact that you need cookies to
remember that the user doesn't want cookies, or even worse:
[https://twitter.com/jgrahamc/status/633551359774691328](https://twitter.com/jgrahamc/status/633551359774691328)

~~~
blub
Perhaps something is deeply wrong with the way companies approach the internet
if millions of them have to display a notice that they are tracking their
users.

~~~
vruiz
No, I can see that you are not familiar with the law, I don't blame you
because nobody is, since it's incredibly vague about when applies and AFAIK
nobody has yet been fined. There are hundreds of companies doing wrong things,
no doubt. The "millions" are collateral damage.

~~~
blub
I am basing my statements on
[http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm](http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm)
(the chapter EU legislation on cookies). According to this guide, the
following cokies are exempt from consent: user-input (forms, shopping carts),
authentication (for the session), user-centric security, multimedia player, ui
customization, social network for logged in members.

Seems quite straightforward and fair.

~~~
vruiz
No it's neither straightforward nor fair. Because it's a whitelist (and a
short one), not a blacklist. You can not legislate like that, making
potentially illegal any use case that you could have missed or any future use
case.

And there is plenty of legitimate usages that are not whitelisted. The most
notorious is non-shared traffic analysis. Meaning what basic google-analytics
offers and half of the internet uses. There is absolutely nothing wrong with
knowing how many unique visitors you got today, and everyone with a website
wants to know that.

~~~
TeMPOraL
> _There is absolutely nothing wrong with knowing how many unique visitors you
> got today, and everyone with a website wants to know that._

Maybe people running those websites want to know that, but as a visitor, I
might _not_ want that. Being ablet o tell "how many unique visitors you got
today" implies that you can group actions by unique visitors, and thus tell
e.g. exactly what I was doing on your website over the course of days. If I'm
not logged in, I might not want that.

And don't get me wrong - I'm not really a strong privacy advocate or
something. Most of the time I don't care much about tracking. But while in
theory there's nothing wrong in tracking unique visits, we all know that the
primary use of this is to manipulate users and shit ads on them, nowadays
mostly cross-site. It's entirely reasonable people get fed up of being on the
receiving end of someone else's malice.

~~~
vruiz
> Maybe people running those websites want to know that, but as a visitor, I
> might not want that. Being ablet o tell "how many unique visitors you got
> today" implies that you can group actions by unique visitors, and thus tell
> e.g. exactly what I was doing on your website over the course of days. If
> I'm not logged in, I might not want that.

That's like asking the guy behind the counter in a shop to not look at you
because as long as you are not buying anything you don't want him to know you
are there. You are entitled to your feelings but if you don't want to be seen
don't go there, or care enough to open an incognito window.

> But while in theory there's nothing wrong in tracking unique visits, we all
> know that the primary use of this is to manipulate users and shit ads on
> them, nowadays mostly cross-site.

No, primary use is regular analytics. 99.9% of websites on the internet are
not amazon. And if the law was for cross-site information sharing cookies then
this would be a totally different debate, but it is not.

------
lucb1e
Tried this before and it helps only so much. Many sites actually don't work
before you accept cookies (they pose it as a requirement and tell you that
cookies keep you logged in, even though the cookie law is _only_ applicable to
_tracking_ cookies) so you need to see the banner before you can see the page.
Examples: fok.nl and tweakers.net.

------
andrewaylett
I've been using a different filter list[1] for more than a year, and it's
really useful as I already use self-destructing-cookies[2] to exercise control
over which cookies my browser will remember, meaning that pretty much all
sites think I've never visited before and therefore try to annoy me with their
cookie banner.

[1]: [https://github.com/r4vi/block-the-eu-cookie-shit-
list](https://github.com/r4vi/block-the-eu-cookie-shit-list)

[2]: [https://addons.mozilla.org/en-GB/firefox/addon/self-
destruct...](https://addons.mozilla.org/en-GB/firefox/addon/self-destructing-
cookies/)

~~~
DavideNL
> meaning that pretty much all sites think I've never visited before

True, but also not True (unfortunately), because the websites can identify you
anyway by your fingerprint:
[https://panopticlick.eff.org](https://panopticlick.eff.org)

------
roel_v
It's depressing that we need something like this.

------
DavideNL
It seems uBlock (Safari 9) doesn't recognise this when i add it to the 3th
party filters/custom URLs - when i click "parse" i don't get to see a new row
with a checkbox. example:

this works: [https://raw.githubusercontent.com/r4vi/block-the-eu-
cookie-s...](https://raw.githubusercontent.com/r4vi/block-the-eu-cookie-shit-
list/master/filterlist.txt)

this doesn't work:
[https://raw.githubusercontent.com/liamja/Prebake/master/obtr...](https://raw.githubusercontent.com/liamja/Prebake/master/obtrusive.txt)

~~~
tdkl
True, although it's already in the 3rd party list and you can just enable it
there.

~~~
DavideNL
ahhh thanks, i didn't notice/expect it to be under the 'Regions languages'
section for some reason.

------
prodmerc
Well, this is just funny. Or sad, depending on how you look at it.

Personally, I'm annoyed by the cookie messages, but the law is supposed to
help people.

Blocking (or auto-accepting) them is basically saying we don't give a shit
about this law :-)

~~~
Kequc
Cookies are integral to the operation of every modern website. They offer
security in the form of features like csrf protection or maintaining login
state between visits. There is sufficient protection for cookies in the form
of encryption and a laundry list of further details which have been added over
the years.

There are far larger security related concerns on the web. The cookie warnings
are on par with if you had to agree with Javascript running on any page you
visit in the EU. So, yes, I want to auto-accept.

As a developer I feel like I'm not going to make special considerations that
ensure you can use forms on my website without cookies enabled. And I'm not
going to find another way to detect and re-instate your login state.

~~~
scrollaway
It's a misconception that you need to show this warning if you use cookies.
You only need to show it if you use _tracking_ cookies. Which means Google
Analytics.

Don't use GA and you don't need to show it. Your login cookies etc and
anything "essential to the operation of the website" are all explicitly
excluded.

The law is absurd, but it's not braindead.

~~~
Kequc
I honestly wasn't aware that was the law. I thought it was all cookies, that's
what the warning messages are worded to sound like they are saying, thank you
for correcting me. My question then is, websites are phoning home through use
of iframes? Because those cookies aren't accessible on different domains than
the ones they were issued.

Am I to understand companies are loading their own domain in hidden iframes
that phone home when I visit a website? Like it checks the iframe's top window
location and tracks what pages I'm on? Now you have me feeling paranoid.

What can be done about that. Google analytics arguably is a very useful
service.

~~~
scrollaway
I don't understand how you make that logical jump?

You can look at how GA tracks users with a bit of googling:

[https://developers.google.com/analytics/resources/concepts/g...](https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview?hl=en)

[https://support.google.com/analytics/answer/2992042?hl=en](https://support.google.com/analytics/answer/2992042?hl=en)

------
JelteF
There already existed a plugin for this
[https://cookiesok.com/](https://cookiesok.com/), but it misses quite a lot.
Hopefully this works better.

------
foobuzz
This law is so badly designed it is beautiful.

It warns users who don't accept cookies that the website uses cookies, at
every connexion. It doesn't warn users who accept them that they're used,
putting aside the first connexion.

It should be the other way around. The website should warn the user that a
cookie is used when the website just accepted a cookie from the browser. The
privacy concern happen at this very moment, when you phone back to the
website, not when the website phones you information.

