
I found a loophole to prevent those pesky cookie notices - Mojah
https://ma.ttias.be/loophole-cookie-notices/
======
gnicholas
Unfortunately this is not what I anticipated based on the title (a user-based
tool that circumvents pop-ups). It is a suggestion for website owners that
they not use any tracking pixels or analytics on their websites.

I’m sure that works great for this guy’s blog, but I’d guess that it would
hobble a startup’s ability to understand/optimize their customer funnel to
abandon tracking entirely.

------
davedx
While I agree with the sentiment the title is very clickbaity, can it be
changed?

~~~
joshspankit
I mean, it’s factually correct. It’s just that we (HN readers? web users?)
would assume that it’s about preventing them as a web user, and the author is
talking about preventing them as a creator/hoster.

------
oefrha
Save yourself two minutes of reading:

> Want to know why I don’t have a cookie notice on this site? It’s because I
> don’t track you.

Obviously doesn’t work for any website that requires creating an account and
logging in.

Thanks everyone for upvoting a nothingburger to the top of front page.

Edit: Okay, I didn’t know cookie notice isn’t required for login cookies
(apparently I never used a cookie banner on my sites anyway, cookie law be
damned). Anyway, the nothingburger point still stands.

~~~
chmod775
> Obviously doesn’t work for any website that requires creating an account and
> logging in.

You don't need explicit consent to provide functionality. When an user logs
in, their consenting to storing cookies on their computer is implicit.

~~~
jstrong
when a user logs in, it's consent

when a user sends a http request to a remote server with a client that saves
cookies on their behalf, it's not consent?

not arguing with you, per se, I just don't understand how sending a request to
someone else has somehow become "involuntary" under the law. the server didn't
come looking for you, your program asked it to send you the cookie.

~~~
chmod775
One cookie is required to provide the functionality I asked for, the other
isn't.

When I say "GET /some-information-on-topic" I did not ask you to track me, I
asked you for information on "topic".

When I say "POST /login", I want you to log me in.

~~~
jstrong
right but the cookie request can just as easily be ignored if you'd like.
there's no gun to your head to "take this cookie OR ELSE!"

if you walk into the local deli and there's a sign-up sheet to receive updates
about the store, is that coercion?

------
desmond373
Could privacy based browsers implement a way of giving bad data to cookies?
Poison the cookie jar, so to speak. An add-on would be nice but being able to
point to a browser and say "this is attacking the issue" would be nice.

~~~
rusk
I saw this discussed before, and I think the conclusion was that this is just
escalating an arms race. It just adds noise. Far better to just disengage if
you can.

------
superboum
I find the way the article is written interesting. Indeed, the title is
misleading and you will learn nothing on the technical part. However, the idea
here is to be vocal about what society we want.

The goal is to say, as an individual:

    
    
      - I am not ok anymore that so much sensitive data are collected
      - I know data collection had negative impacts on individuals and society      
      - I can, and we should live without collecting so much data    
      - Individuals and society should come before companies    
    

And I definitely relate...

------
njitbew
I'm not sure if the author is trolling or actually presenting this as some
groundbreaking insight. I thought it was obvious to anyone that no cookies
means no cookie notice (and there are plenty of static websites that do this).
The point is that most websites try to make money, and making money means
advertisements, and advertisement (often) means tracking.

~~~
bluGill
Advertisement doesn't mean tracking. When someone buys a radio/TV Superbowl ad
they don't track who heard/saw it. When you buy a newspaper/magazine ad you
don't track who reads it. You can sometimes target a particular neighborhood,
but that is all the more you get, and no tracking of who got it.

The ability to track doesn't really add that much value to most ads. The only
time it is helpful is if you want to get a specific person across many
different platforms. If you have a niche product that is useful, but niches
generally have better ways to get their target (ie the forums frequented by
their target). When someone advertises a car they don't need to track - they
need to get everybody in the world because that is their potential customer
base.

~~~
mwnivek
> The only time it is helpful is if you want to get a specific person across
> many different platforms.

There are surely other uses. For instance, I might want to know if my ad is
being shown again to a return visitor or for the first time to a new visitor.

------
Udo
I do support this stance, but depending on your setup, there are gotchas
website operators should be aware of. I see CDNs as a major hidden aspect: for
the government, it looks like you're tracking people, even if you're not. So
you'll need to host those JS and CSS frameworks on your own server, which I
think is not that much of a problem, just something to be aware of.

However, the next issue is using Cloudflare or similar front ends. For
example, I use their free tier on most of my websites. These reverse proxying
services / DDOS mitigators / TLS terminators tend to set identifying cookies
which website operators have little to no control over.

My point is that the web ecosystem contains lots of integration points that
could lead to operators being liable in the eyes of the law, even if they're
not _actively_ tracking their users themselves - the services they use, do.

~~~
rusk
are you liable for third party's using your site for tracking? If you're not
using cookies yourself, but you accidentally or otherwise include resources
from third parties that are used for tracking, do you still have to display
the cookie notice?

~~~
Udo
I think so, yes. For example, if you're including a Facebook button, that
counts. So including JS from a CDN would also have to count. And when you're
using a reverse proxy, I think it's not distinguishable anymore whether it's
you _personally_ collecting user behavior of whether it's Cloudflare doing it
on your "behalf".

------
simonblack
Perfection is _not_ when there's nothing more to add, it's when there is
nothing more to take away.

My website is also 'bare-bones'. What do we need all that extraneous crap for?
People who want to look at it will. People who don't want to look at it won't.

Want more eyes on your site? Make it more interesting.

------
nkozyra
There's obvious merit to this, and it harkens back to a 'purer' day of the
internet.

But, big - huge - businesses exist (often exclusively) on the internet in
2020, and suggesting that nobody should worry about collecting metrics on
traffic/usage is really not feasible when your bottom line depends on making
sure those numbers are moving in the right direction.

Don't get me wrong: those companies collect _too much_. There's no need to do
some of the deep, cross-site data sharing that most big web sites do. But
analytics? Advertisements? Seems like fair game. Even if you run a boutique
blog, you're going to want more real-world feedback than "hit me up on
Twitter."

The larger complaint here (at least in the first half of the article) seems to
be the lack of elegant ways to present this compliance. Nobody seems to do it
in a way faithful to the law without ruining your browsing experience. Maybe
that's the point.

~~~
SifJar
> lack of elegant ways to present this compliance

Seems like moving it into the browser permissions model could be a good way -
in a similar way to websites can ask for permission to show notifications or
use your camera, and the browser handles prompting the user etc.

At the very least, it'd be more consistent across websites, you could see in
your browser settings at any time which sites you have allowed to store
cookies, probably set a global allow/reject etc.

I'm sure there are various reasons why this hasn't been done though

~~~
rusk
> I'm sure there are various reasons

... like requiring explicit consent :)

Really interesting human behaviour occurs when the subject isn't being
watched. There's numerous headings for this in various fields: "hawthorne
effect", "panopticon", "heisenberg effect" etc.

Of course, in principle the "cookie banner" should alert you to this, that's
the point. But after a while people just get used to them. At least it's
better than them not being there though ... can't say you weren't warned!

~~~
SifJar
explicit consent... like what is obtained by browser before allowing
notifications or camera access etc.?

I don't see how it's different?

~~~
rusk
Sorry I might have overcomplicated my response and missed the point which is
that those doing the tracking prefer when you’re not aware

~~~
SifJar
Ah, well of course they do. Doesn't mean they should be allowed to :)

~~~
rusk
That’s what I mean :)

------
Avalaxy
Great for your personal blog, but let's not assume this works for most
businesses.

~~~
warpech
It works for DuckDuckGo: [https://duckduckgo.com/](https://duckduckgo.com/)

However it won't work for any site that uses client log in.

~~~
the8472
You only need to set a cookie when the user logs in. So as long as the user
isn't logged in or in the process of logging in there's no need for a banner.

~~~
TeMPOraL
You only need a banner if you use cookies for tracking. If all your cookie
does is enable the login form, you don't need the banner. That's the "one
weird trick" TFA describes.

------
triiif
lost 2 min of my life reading this shit.

install the extension 'i don't care about cookies' if you don't care

[https://chrome.google.com/webstore/detail/i-dont-care-
about-...](https://chrome.google.com/webstore/detail/i-dont-care-about-
cookies/fihnjjcciajhdojfnbdddfaoknhalnja)

[https://addons.mozilla.org/fr/firefox/addon/i-dont-care-
abou...](https://addons.mozilla.org/fr/firefox/addon/i-dont-care-about-
cookies/)

------
faintrain
Ha. I see what the writer did here. I was expecting a legal or technical
solution of a different kind lol.

Now if I were to send this article to the business team at my company in order
to make a point about privacy I’m sure it would result in one way.

They’d be pissed I wasted their time telling them not to track based on the
views of the author who clearly doesn’t understand and hasn’t fully
articulated the business implications of not tracking which are numerous.

No track is like security regulations in healthcare. Yes it makes sense but
when you think about the implications to the system as a whole there will be
negative impact.

1\. Loss of jobs (lack of data collection in business)

2\. Loss of lives (greater security requirements in healthcare)

Why loss of jobs? Because guys like Jeff Bezos will lay-off staff before
impacting his and his shareholders wealth in any significantly negative way.

Tell me why I’m wrong.

~~~
bmn__
> Tell me why I’m wrong.

With pleasure. Not having one's fundamental human right to privacy¹ undermined
trumps the wants and needs of the business team at a certain company.

¹ Art. 12 UDHR, also mentioned in over 150 national constitutions

------
Nasrudith
Lets start with an analogy. Solving noisy fans via a specially designed
radiator case is clever. Saying "just don't use fans" is useless smugness.
This "article" is useless smugness.

Yes, not using cookies is a way to avoid it. To be useful for anything but
personal satisfaction the function fulfilled needs to be solved as well. Even
if it is a niche and highly qualified solution like "a low bandwidth largely
plain HTML website with lower yielding non-tracking ads or a donation page can
actually yield more money per hosting cost but results in far smaller
websites" would still be infinitely better.

~~~
ceejayoz
> Saying "just don't use fans" is useless smugness.

Is it? You can buy fanless computers of various kinds, and it may make sense
to do so in certain scenarios. One shouldn't put a fan in a computer "because
computers have to have fans", but that's the approach a lot of companies take
to tracking. Data gets hoarded and never looked at.

------
bouk
What a lot of people don't know is that you're allowed to use cookies for
analytics purposes with GDPR, as long as you're anonymizing and as long as
they're not used for cross-site/device tracking and advertisement.

The Dutch personal data authority even published a guide for Google Analytics
explaining exactly what to do:
[https://www.autoriteitpersoonsgegevens.nl/sites/default/file...](https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/138._handleiding_privacyvriendelijk_instellen_google_analytics_aug_2018.pdf)
and they ruled that you don't need permission to enable the cookies when you
do. You do need to have a privacy policy however.

~~~
mwnivek
Do you know if there is a resource similar to your link that is written in
English?

------
enriquto
Notice that browsing without cookies nor javascript makes such notices
invisible and most sites much faster and usable.

------
SimeVidas
I found a loophole to prevent corruption

Stop. Wanting. Money. All. The. Fucking. Time.

In case it’s not obvious, the article is a publicity stunt.

------
smoyer
I've eliminated cookies from my systems too ... I just put my tracking
information in local storage.

~~~
ceejayoz
GDPR anticipated that trick. It doesn’t work.

[https://law.stackexchange.com/questions/30739/do-the-gdpr-
an...](https://law.stackexchange.com/questions/30739/do-the-gdpr-and-cookie-
law-regulations-apply-to-localstorage)

------
Grumbledour
I do wonder why so many big websites have chosen to present huge annoying
cookie banners to people that are still, at first glance, a clear violation of
GDPR. (Like having no explicit opt-in, often not offering an opt-out besides
the notice to close the site etc.)

Why annoy your users if your are not compliant anyways?

------
toxicFork
What happens if you use cookies but for non tracking purposes?

~~~
neikos
The rules are somewhat imprecise, but basically any functional cookies do not
need to have consent as it is implied by the user using the service. This
includes thinks like the user-identifier to know who is logged in for example.

~~~
toxicFork
That's good to know. I thought "any cookies" meant "need banner"

------
tedk-42
Clickbait title as it's not a loophole.

------
bil7
i hate tech blog clickbait so much

------
therealmarv
Haha, I discovered this loophole too when GDPR was introduced. I also removed
all tracking code especially from smaller sizes. I don't care about tracking
users there.

