
Ask HN: Shouldn't web browsers ask us before storing cookies? - jakemor
Every time we visit a GDPR compliant site, we are greeted with the all too familiar (yet far from homogeneous) popup asking us to either accept or deny the site&#x27;s privacy policy and cookie behavior.<p>I&#x27;d like to point out how this law is hurting the web.<p>When the onus is on the developer to ask a user for permission, the user is forced to trust the developer. For example when a website asks me if they can store cookies in my browser, and I say no, there is no easy way of me knowing if that site is actually listening to me.<p>Wouldn&#x27;t it be cleaner if the burden was on the browser to ask us for permission?<p>In iOS for example, the operating system asks you if you&#x27;d like to grant an app access to your camera... not the app itself! Imagine we had to blindly trust an app to not use our camera, without any help from Apple. Mayhem!<p>Instead, the EU mandates that developers ask permission. Developers place a stupid looking div filled with legal jargon on their homepage. We roll our eyes and click accept. Good actors (who respected our privacy in the first place) continue to respect our privacy. Bad actors continue to ignore it.
======
fitzroy
Instead of asking for each site, just allow first-party cookies and delete
them by default when the last tab of that domain is closed. The user should be
able to favorite cookies to keep indefinitely, with the rest being cleared on
a user-defined schedule (onTabClose, 1 hour, 24 hours, 1 week, etc). There was
a free Safari extension called Safari Cookies that handled the favoriting but
it stopped working several years ago.
[https://sweetpproductions.com/safaricookies/index.htm](https://sweetpproductions.com/safaricookies/index.htm)

I'm surprised this isn't a standard feature built into browsers. Seems like it
would be obvious to have a level of granularity between accept all first-party
cookies and accept none.

Edit: to clarify, I don't think setting cookies is the issue (and not worth
the UX hassle to ask everytime); the issue is storing the cookies for longer
than the interaction persists. To me, it's analogous to someone remembering
who you are during a conversation vs adding you to their rolodex and storing
that info indefinitely.

~~~
SyneRyder
Microsoft Edge Beta has this. In Settings -> Site Permissions, you can disable
"Allow sites to save cookies", but then add individual websites to the Allow
list. There is also a Clear On Exit list you can add sites to.

I'm pretty sure Firefox & Chrome have similar functionality.

~~~
fitzroy
Thanks, just found it here in Chrome: chrome://settings/content/cookies

I've mostly switched back to Safari ...so I look forward to getting this
option in a decade or so.

In all seriousness, this would naturally fit into the new Safari "Websites"
permissions in Settings. Right now cookies, databases, HSTS policy, and local
storage are still in the old "Manage Website Data..." window, which would seem
redundant now.

------
proofofconcept
As I remember it, this was an option you could enable in Netscape Navigator
back in the dialup days. In practice it meant that every time you went to a
new website you'd have to click ok on a dozen popup menus asking for
permission to store each individual cookie before the page would load. I'm
sure there are ways to make that process go a little more smoothly but in
practice it's still probably something that most users would immediately turn
right off.

~~~
cheez
Oh my god, you just triggered some horrifying memories of that popup.

No, you definitely don't want the web browser to ask.

~~~
kbrosnan
In the dial-up days I remember turning on ask to set cookies. It was fairly
common to need to deny 10-20 cookie requests even back then. Now there are
extensions to manage website trackers that deal with more than just cookies.
Extensions are a ton better than having the user agree to each cookie that is
sent.

~~~
cheez
Yep.

------
hos234
It used to be an option in Firefox. You have to go dig around bugzilla to find
the reasons they removed it -

[https://bugzilla.mozilla.org/show_bug.cgi?id=1249151](https://bugzilla.mozilla.org/show_bug.cgi?id=1249151)

[https://bugzilla.mozilla.org/show_bug.cgi?id=606655](https://bugzilla.mozilla.org/show_bug.cgi?id=606655)

~~~
userbinator
...and this:

[https://bugzilla.mozilla.org/show_bug.cgi?id=570366#c1](https://bugzilla.mozilla.org/show_bug.cgi?id=570366#c1)

"This option isn't supported, last I checked"

What a reason. They decided to remove it because it "isn't supported"? So much
for "open source" being better at "do what users want"... if you personally
don't need that option, fine, don't use it. But don't go taking away things
that a lot of others want.

I get extremely angry whenever I see discussions like that. You can read and
even participate in them, but your opinion is ultimately useless because
you're not part of some privileged group who makes all the decisions about
what to do with Firefox. It's no better than proprietary software where your
bug reports are similarly ignored, besides being possibly a _little bit_
easier to patch.

~~~
detaro
I feel like this is an unfair representation of that comment.

If the actual backend doesn't support that option, it's indeed a problem that
the UI offers it, especially if it's causing a bug. The question _if_ it
_should_ be supported is unrelated to that, and not really a topic for that
unrelated issue. I've certainly had my own bad experiences with Firefox
issues, but that's not a good example.

------
tempestn
From my perspective, a lot of the problem is that there are very legitimate
uses for cookies and other types of local storage, outside of advertising and
other sorts of tracking. IE remembering user preferences, knowing what
messages they've seen, that kind of thing. It would be a huge hindrance to not
be able to persist any kind of state between visits. The real issue in most
cases are third party cookies from ads and other trackers, but in almost
everyone's understanding these are all lumped together into the single
category of 'cookies'.

Of course, it's not quite as simple as "first party cookies fine, third party
bad", since when you're on a domain like google.com for example, a whole lot
of tracking goes on with first party cookies. But still, that can be dealt
with. If I were coming up with a regulation (be it enforced at the browser or
site level) it would make a distinction between first party cookies on domains
serving up to X users per month, first party cookies on domains serving over X
users per month, and third party cookies on all domains. The first of those
categories could, I think, be unregulated. Save messages and/or restrictions
for the other two and I think it would go a lot further toward achieving the
goals of these sorts of initiatives, while being much less of a useless
annoyance.

Firefox is going in this direction somewhat with their default blocking of
third party cookies, but there's nothing they can really do unilaterally to
treat first party cookies on google.com differently from bobsblog.com.

------
neilobremski
I agree that "this law is hurting the web" but I don't see how shifting that
from the website to the application is going to solve the root issue. Prompts
like these are annoying speed bumps that I have a hard time believing are in
anyway effective -- paranoid people already deeply evaluate the software and
services they use whereas the casual user is likely to just to "yah yah, get
this out of my face" click it.

~~~
jakemor
If you tell the website “no don’t track me” it can’t even remember not to
track you (because doing so would be tracking you!) so they have to ask every
time.

If you tell the browser no, it would just block the site from storing any info
in the browser. It would ask you once only the first time you visit a site,
and you can change it whenever in the toolbar. Problem solved, no?

~~~
TheCoelacanth
> If you tell the website “no don’t track me” it can’t even remember not to
> track you (because doing so would be tracking you!) so they have to ask
> every time.

That is absolutely not true.

------
morpheuskafka
How about, if you install software such as a web browser on your computer that
has a certain functionality intentionally exposed via an API, and you then
visit sites that make use of that API, you have given consent for them to use
it. And if you don't like it, you can reconfigure said browser to block them.

~~~
Retric
Technology can have legitimate and illegitimate uses. Just ask the humble
crowbar. Laws are how we codify such things and software is no different.

Consider, a computer virus is only doing what the OS/hardware allows it to do.
By your reasoning that should be absolutely acceptable in all situations as
TCP/IP is an API.

------
_jomo
I'd like to point out that GDPR compliant sites don't need to ask permission
for strictly necessary cookies.

I also recommend using Cookie AutoDelete for Chrome [0] or Firefox [1]. You
can define a whitelist of websites where you actually need Cookies (because
you want to stay logged in), and the rest will be forgotten when you close the
tab. It even allows different rules in Firefox Containers.

0: [https://chrome.google.com/webstore/detail/cookie-
autodelete/...](https://chrome.google.com/webstore/detail/cookie-
autodelete/fhcgjolkccmbidfldomjliifgaodjagh)

1: [https://addons.mozilla.org/en-US/firefox/addon/cookie-
autode...](https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/)

~~~
jopsen
> I'd like to point out that GDPR compliant sites don't need to ask permission
> for strictly necessary cookies.

That's also my interpretation. If you use cookies for session state,
authorization, then it's no problem.

The problem is that every website decided that they needed to track users. Or
that asking for permission would minimize liability.

~~~
ChrisSD
Even with tracking you merely need a privacy policy in a place users can find.
It's considered implied consent to continue using a site if the site makes a
reasonable effort to make you aware that such a policy exists.

However, what counts as reasonable hasn't been explicitly defined. The UK
government considers it fine to use a header that automatically disappears
after awhile (i.e. no need to click "ok"). But other governments may view it
differently so I can understand some large organisations being cautious.

~~~
simpss
no such thing as implied consent in GDPR.

Here are the conditions for consent: [https://gdpr-
info.eu/art-7-gdpr/](https://gdpr-info.eu/art-7-gdpr/)

Most sites don't adhere to that at all as there's pretty much no way to "not
agree", which means they can not rely on consent as a legal basis for
processing PII.

~~~
kd5bjo
I feel it's important to note that, although implied consent doesn't mean
anything in a GDPR context, consent isn't necessarily required at all. It's
only one of 6 different justifications a business can use to show their
activities are legitimate: [https://gdpr-info.eu/art-6-gdpr/](https://gdpr-
info.eu/art-6-gdpr/)

~~~
Macha
And they all have their own stipulations. Contract requires that the data is
needed to perform your part of the contract, legitimate interests requires
documentation proving you do need the data and weighed the risks to users

------
Nextgrid
The GDPR consent prompts are less about technicalities (are you using cookies
or local storage) and more about giving the side permission to stalk you no
matter what method they use.

The real problem here is the lack of enforcement of the regulations. The
majority of GDPR consent prompts are obnoxious because they aren't actually
compliant - compliant ones are much more pleasant. See this comment I just
posted on another GDPR thread:
[https://news.ycombinator.com/item?id=21429666](https://news.ycombinator.com/item?id=21429666)

Finally there's this misconception (it could be a lie perpetuated by companies
looking to profit from GDPR-related consulting, or those looking to push back
on the regulation by making it seem more annoying than it actually is) that
_all_ cookies require consent. That is blatantly false. Cookies to store site
preferences (like language, font size), shopping carts or login sessions don't
require consent as they're necessary for the functionality you're trying to
use.

~~~
gingerlime
I honestly can’t figure out how these popups became so prevalent. They’re so
obviously not compliant not just with the fine print of GDPR but with its
spirit.

Even if you’re completely cynical about being compliant with GDPR I would
imagine that not having popups like that at all is more compliant or less
likely to get you in trouble than having those flagrantly-non-compliant
ones...

~~~
TheCoelacanth
It basically the "I don't have to be faster than the bear, I just have to be
faster than you" principle in action.

GDPR violations are so ubiquitous that regulators can't possibly go after all
of them.

As long as you aren't a particularly juicy target and are doing the same
things that everyone else is to pretend to follow GDPR, you probably aren't
going to be among the first enforcement targets.

~~~
kd5bjo
There's also some cargo-cult legal reasoning going on as well, I think:
instead of paying a lawyer to read the new law and tell you what you actually
need to do, simply do whatever you see everyone else doing and assume it's
fine.

------
userbinator
IE had it up to version 11:

[https://www.technipages.com/wp-content/uploads/2014/07/IE-
Ad...](https://www.technipages.com/wp-content/uploads/2014/07/IE-Advanced-
Cookies-Settings.png)

Edge is dumbed-down and removes, among other things, that option:

[https://answers.microsoft.com/en-us/edge/forum/all/cookie-
co...](https://answers.microsoft.com/en-us/edge/forum/all/cookie-controls-in-
edge/082462e6-0746-48db-bcdc-0c03373d8a4e)

------
oliwarner
Storing data in a cookie is not the dangerous bit, it's the intent, the _what
you 're storing that data for_ which matters.

A browser popping up a prompt saying "google.com wants to store a cookie, is
that okay?" isn't enough.

The design of these cookie and enhanced data protection laws is that websites
need to spell out their intent. To tell people what data they're storing _any
why_. Yes, you could code that into headers and have the browser relay that
information, but that's the stalemate we're in.

------
wronex
How about Firefox Temporary Containers?

[https://addons.mozilla.org/en-US/firefox/addon/temporary-
con...](https://addons.mozilla.org/en-US/firefox/addon/temporary-containers/)

I think they compartmentalize each tap until it is closed. Dunno if it only
clears cookies or all other forms of storage.

Cookies get all the bad press when there is many other ways to store data. Or
does the word "cookie" encompass all forms of persistent storage?

------
Buge
100% agree, I've argued for this same thing in the past.

[https://www.reddit.com/r/worldnews/comments/7h28hi/google_co...](https://www.reddit.com/r/worldnews/comments/7h28hi/google_could_be_forced_to_pay_over_five_million/dqoj1g6/)

------
kd5bjo
Note that the GDPR isn’t just about cookies, it’s about _all_ collection of
personalized information, in any form. It also outlines plenty of scenarios
that don’t require a separate permission request beyond simply doing business
with a company.

We’re only in the midgame of this particular regulation— the rules changed
“suddenly” and specified outcomes rather than methods. Regulators and
businesses are in the messy stage of negotiating best practices as businesses
change as little as possible and regulators give fines for misconduct.

The hope is twofold: that enough users will opt out to make problematic
business models less profitable, and that the lower user friction of models
that don’t require tracking will become relatively more successful. Neither of
these goals is served by allowing a blanket permission setting.

------
diminoten
"Shouldn't" implies some kind of higher authority capable of enforcing such a
feature universally across browsers, when no such authority exists.

Browsers give you all kinds of opt-out capabilities, if that's something
you're interested in. The fact is, most people aren't interested.

~~~
johnchristopher
But those opt-out capabilities are as clear-cut as most of GDPR banners.

edit: mea culpa, I somehow missed bunch of keys and there is a missing
negation in my comment which should read "But those opt-out capabilities
aren't as clear-cut as most of GDPR banners." I mean: the UI isn't there to
opt out of affiliated adtech networks or to store the amount of details the
user is willing to share.

~~~
NateEag
Conceptually, there is no way to make trusting cookies both simple and
transparent.

Even something as simple as a unique identifier can be used for both helpful
and malicious ends. You'd need to read all the code pertaining to it to have a
clue if it's something you should accept, and you can't ever know what the
server's backend code is, even if it claims to be open source (it can always
be running extra components that are not developed in the open).

So, opt-outs are inherently a flawed idea, at least with any granularity.

Turning off cookies entirely in your browser then opting all-in for sites you
choose to trust is about all you can reasonably do.

------
gpvos
IIRC, in the early days, they did ask for every cookie.

~~~
rzzzt
lynx definitely had a "yes/no/all for this site" kind of question.

------
dynom
Your suggestion makes a lot of good sense. Cookies aren't the real threat
though. Surely cookies are used for both wanted and unwanted tracking. Passive
tracking however (fingerprinting of any form) will remain the threat we can't
block and we won't know is happening.

If we add a mechanism to allow the OS to handle cookies, bypassing possible
untrusty browser vendors. We won't solve much and create a false expectation,
while (arguably) break more than we fix.

This doesn't mean we shouldn't, but if a method is found, it should include a
significantly more comprehensive form of anonymity.

\--2 cents

------
rolph
I usually right click and select an element blocker.

There was a time wayy back when a browser would prompt user when site requests
to push out a cookie [up to about mid 90's AFAIR], but that was before the web
was hijacked for commercial interests.

now there are often so many cookies with the typical website that a manual
dialogue would waste all your user time.

so i think thats where the decision was made to include all cookies, in one
broad permission setting.

------
Rarok
Internet Explorer (in the time of Windows 95) did that and people didn't liked
and always checked the "Never ask my again" checkbox

------
ecesena
Browse in anonymous/private mode.

There’s unfortunately little difference between cookies used to keep you
logged in and to track you. Therefore no cookies = log in every time. As long
as you’re ok with that, go for it!

------
simpss
GDPR does not require "cookie consents forms" and neither do the EU e-privacy
rules. There are clear exemptions for authentication and other technical
cookies.

Basically, the form is only required if you're doing something nastier, like
tracking.

I've never understood why sites just run with the concept and implement the
"permission form" when it really isn't required for good actors.

[https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies#sect...](https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies#section_2)

ps: for firefox I use "cookie autodelete" extension
[https://addons.mozilla.org/en-US/firefox/addon/cookie-
autode...](https://addons.mozilla.org/en-US/firefox/addon/cookie-autodelete/)

------
butz
Upcoming ePrivacy law should fix this nonsense with cookie banners. Although,
having cookies permissions settings, like notifications and location in
browser UI would be great.

------
frippledipps
It's just the beginning. Given the logic of the allmighty regime, each web
link has to have a label describing all privacy impacts it might have if you
click on it. The link will only open if you confirm.

------
johnchristopher
But that would place the responsibility to enforce GDPR on browsers vendors,
not publishers. GDPR is about private information, the browser isn't
interested in that, the publisher is, so the responsibility falls on the
publishers.

------
JohnTHaller
They used to. Everyone hated it. They stopped.

------
tinus_hn
Do you really want 120 questions for each site you open?

~~~
zrm
You don't need 120 separate questions, just a single list with all 120 cookies
and their domains, with a checkbox next to each one and some "select/deselect
all" buttons.

~~~
EpicEng
That literally almost no one knows how to use and clicks ok anyway.

~~~
zrm
It's not possible to make an informed decision about whether to accept a
particular cookie without first becoming informed. No UI can change that. But
it can at least provide the option for the people who take the time.

------
DoubleGlazing
It would be almost impossible to enforce. Publishers have a point of contact,
an address or a hosting company, some sort of physical place where you can
find whoever is in charge of the site. In other words, somewhere to send legal
documents and summonses should a government wish to pursue legal action.

This is only partly true for web browsers. Google, Mozilla and Microsoft have
addresses. But what all the browsers that have forked from open source
projects? If someone forks Chromium and adds nasty features, how do you track
them down if they did everything anonymously?

More to the point, if a law is passed that says "all browsers must do X,Y and
Z". How to you enforce that in a world where open source is so prevalent? The
big players may add the requirements to their flagship browsers, but if those
browsers have open source underpinnings they have no control over the forked
versions.

It's the publishers who are abusing browser capabilities, its much easier to
force them in to compliance rather than trying to legislate how browsers work.

~~~
jakemor
> More to the point, if a law is passed that says "all browsers must do X,Y
> and Z". How to you enforce that in a world where open source is so
> prevalent?

Easier to enforce it on browsers than EVERY SINGLE website that uses cookies
for tracking, no?

