Hacker News new | past | comments | ask | show | jobs | submit login

So websites are supposed to just absorb the cost? That seems like a ridiculous stance.

No, they're supposed to serve generic, non-tracking ads. Non-targeted, or whatever the terminology is.

It's hilarious how everyone has just forgotten that used to be a thing. The people on this website are literally the problem, you can't even conceive of a website that doesn't track every click you make across the whole internet, and you guys are the people building the new web.

It has never been a thing, that's why. Adverts have been targeted for decades before the internet existed at all.

Do you think TV adverts are placed randomly? They aren't. Different times of day have different value to different advertisers. TV ads are targeted based on detailed knowledge of audience demographics.

Do you think billboard ads are placed randomly? They aren't. Their placement is optimised based on the beliefs of the ad firms about who will drive past them or see them.

Do you think internet ads were placed randomly before AdSense? No, they were targeted by rough demographic guessed from the sites content just like TV and billboard ads were.

All that's changed on the internet is that targeted has got more precise and more sophisticated. But there's no bright line separating "generic" from "targeted" ads, like you imagine. And the better targeting is hardly an optional feature like the DPAs seem to imagine. It increases revenues which enables firms to provide new content and new features. Roll back the web to 1990s era ad techniques and now all the ads on generic sites like news or search with no clearly defined audience will be barrel-scraping "punch the monkey" animations, for those of us who remember that stuff.

I have my own ad that I made for a client. No third party is offering these kinda of ads because of fraud.

Is that really true?

I think it has more to do with an anti-authoritarianism attitude than anything else.

Which is what DuckDuckGo does, I think.

Data addiction. Just say no.

It’s not possible to do a lot of normal web stuff without session cookies.

The concepts of a session cookie is different then a cookie used for advertisemnet that tracks you across the internet. The problem is tracking and ads, not authentication and authorization for functional purposes. Cookies are just one way to track people and serve ads, there are many others.

Facebook is a great example on keeping diluting these concepts. They ask for your information for function security purposes and then go back and use that same data for ads - that is unethical and has to stop.

Which is irrelevant, because session cookies don't need a warning. There is no reason to equivocate session cookies with tracking cookies.

Cookies are allowed, tracking users without consent is now illegal in EU (regardless which technology is used).

The GDPR doesn't regard cookies that serve a bona-fide business purpose. You are free to use cookies to provide a shopping cart, or allow users to log in to an account at your store, or whatever. It's specifically tracking and advertising that is forbidden.

If the user is not getting something out of it (besides the generic "access to my website") then presumptively don't do it. GDPR is literally as easy as that.

GDPR understands full well that you need session cookies to provide a shopping cart or user account. That's why there's specific exemptions for it.

Define "a lot of normal web stuff". How did we ever do normal web stuff before session cookies?

I mean, we have had session cookies since the first version of netscape. Almost everything we think of as 'normal web stuff' is post cookies.

We telnetted into places.

Session cookie in the URL?

I think they would start another fire, and get another blanket

We didn't

"It's hilarious how everyone has just forgotten that used to be a thing"

Ads were always a thing, they're just going to be better targeted with more info.

There is no free lunch, so what this means is the 'no cookie' users may be exposed to more ads.

I understand the market dynamics are not working very well, but we have to remember that information provided is not free either.

you will get as many ads as the typical user is able to bare no matter what.

The underlying economics are unavoidable.

Companies are not trying to 'do inherent evil' - they just want to show relevant ads. And by the way, consumers definitely appreciate the relevance.

There is another side to the equation, and there are economic consequences to all of this that will come home to root.

Personally, I loathe Facebook and don't use it for personal reasons, but I have a small business and it's the only advertising mechanism that works for us: we have a neat little product for a niche category.

There are entire economies that can only exist with the ability to effectively get the word out, there is tremendous social good in this.

We just have to figure out a way to do it that fits within reasonable privacy guidelines.

Websites are allowed to charge you. They are also allowed to show (non-tracking) ads, and they can also track you if you agree to it.

What is not allowed is to withdraw services to those that want to exercise their right to privacy.

Thanks, this helps clear up some of my understanding. I still think its ridiculous that websites can't refuse to serve who they want.

Why? It's relatively common for governments to prohibit businesses and services from discriminating against certain types of users, why do you think it's ridiculous in this specific case?

Whether we like it or not, tracking data used for ads is the currency of the free internet. It is how things are paid for.

This is like a government saying to a restaurant "You can't discriminate against people who don't want to pay you money for the food. You can ask them if they are willing to give you money for the sandwich, but if they say no, you still have to give them the sandwich"

Tracking is not necessary to make money online. It’s just helpful.

It’s more like the government saying, you can’t discriminate against people who demand that their food is cooked in a kitchen that isn’t filled with cockroaches. It’s going to hurt the bottom line, and might kill some businesses, but it doesn’t reduce to a prohibition on making money.

> It’s more like the government saying, you can’t discriminate against people who demand that their food is cooked in a kitchen that isn’t filled with cockroaches

What?! Are you seriously speaking of prohibiting cockroaches?

Cockroaches are everywhere! They are essential to survival of businesses! And it would be impossible to completely get rid of them anyway. Prohibiting cockroaches in public restaurants would push immense cost upon eaters. Without cockroaches how could we possibly get rid of the food waste, that routinely accumulates in kitchens? Do you expect us to spray our kitchens with toxic pesticides? To hire some specialized people of to lick food scraps off kitchen stoves with their bare tongues?? Insane!

Clearly, you are the enemy of the people.

I think a better example would be: you can only get food if you give us your address and consent that all other restaurants in the vicinity send marketing mail to you. You also consent that we and they exchange information about when and what you ordered.

To me it sounds very sensible to make such a business practice illegal.

That actually sounds pretty good if you don't have much money. Free food in exchange for agreeing to receive free scrap paper.

I'd totally use this service if it existed.

"the government" as in >we the people< says to all the restaurants (and groceries): this stripping of all of our clothes before entering is nonsense and we can't choose not to eat, so we will force you.

If that's so, it's as if an unknown and possibly arbitrary amount of money was taken from your wallet every time you picked something up from a store. Yes, it's nice that I can walk into Whole Foods and just pick up a few oranges and leave, but if I get home and it turns put they cost $25 each, is it worth it? The data market is not mature and transparent enough for the transactions it's capable of making.

> Whether we like it or not, tracking data used for ads is the currency of the free internet. It is how things are paid for.

You're right, it's the currency now. It would be great if it wasn't. If there was some way to force the industry to come up with new, non-privacy-invasive methods... Hey maybe if we made a law to ban the old, bad, way....

>tracking data used for ads is the currency of the free internet

Advertisers will still pay for ads even without the tracking.

The only examples I can think of for the US where this happens have to do with historically discriminated classes of identities; e.g., gender, racial minority, etc.

Are there other examples?

Agreed. I think of it akin to smoking, drinking, drugs, speeding, or various other acts you can partake in. The government should largely stay out of your life but society has deemed some things "for your own good". In this case, I could see certain types of advertisements or data harvesting which is largely misunderstood to be managed by the government, where they decide that companies can't track you - whether you want them to or not.

Disclaimer: I'm not saying I agree with any of this. Nor that any of this is truth in any way. I just view the governments involvement here, saying how ad companies can behave, to be similar. Whether that is good or bad is complicated, and out of the scope of this conversation.

There's been laws about that sort of thing for decades. A business can no longer refuse to serve black people. So we, as a society, are using that logic.

They can refuse to serve you, however, they can't then turn around and claim that those who clicked "I consent" actually did freely opt-in to tracking because they genuinely wanted to be tracked - because, obviously, they most likely did not.

In essence, GDPR states that you're not allowed to violate the privacy of people unless they really want to (freely given, informed, narrow/specific opt-in consent) - and this time, all the oft-used loopholes to "extract consent" don't really fulfil the criteria, as forced consent is not considered consent.

If the cost is for hosting a bloated 14MB page, 30% of which is hostile JavaScript, let's talk about ridiculous. "But we need that JavaScript to scrape the data and run the ads to pay for hosting all that JavaScript!"

My stance is even more ridiculous: Deadbeats who can't afford hosting without begging, selling ads, or turning against their users, scale your site down to something that's cheap to host, or get the hell off the internet. Back to the amateur web of the 90s. It was fine.

Yes absolutely! Websites need to find revenue models that don’t depend on violating the privacy of their users. That stance makes a lot of sense to me.

There are tons of websites that have other revenue models. Subscriptions, referral models, etc.

Shouldn't people be able to choose what currency they want to pay for something in?

> Shouldn't people be able to choose what currency they want to pay for something in?

Thats a very libertarian position statement and I understand it. But the EU is much less capitalist/libertarian than you are. Their parliament made the call that they don't want people paying for services with their personal data.

There's valid arguments on both sides here. Some arguments supporting the EU's stance:

- If online newspapers get paid in proportion to views, they make more money by writing divisive clickbait

- Privacy is a fundamental right; not a currency. Treating it as currency means only wealthy people will be free from spying, and that is borderline dystopian.

- Advertising on the internet worked just fine before everyone was tracked and monitored through every click. Don't annoy me with cookie notices. Just don't use cookies for tracking and we'll get along fine.

How is it a fundamental right?

We as sovereign citizens of the EU decided it was so.

That doesn't make it a fundamental right.

What, to you, makes something a fundamental right?

The EU's document is "Charter of Fundamental Rights of the European_Union"[0], which does grant privacy as one. That pretty clearly does make it a "fundamental right".

Note the US Constitution's Bill of Rights does not offer right-to-privacy (but the 4th provides protection from searches-and-seizures without probable cause, which really doesn't deal with "privacy", especially from non-governmental actors).

Perhaps parent should have said "fundamental right granted by the EU", but in this context it's pretty clear.

[0] https://en.wikipedia.org/wiki/Charter_of_Fundamental_Rights_...

Contracts of adhesion don't lead to very good choice. And pretty much no site lets you choose what currency to pay in when it comes to ads. Realistically that would mean an option to pay a fraction of a penny per page.

So 'choice' is already something that has failed in the free market. Bring on the privacy.

It's been proven over and over again that people won't pay for content that gets successfully monetised with advertising.

You only have to see the howling every time someone posts a subscription only newspaper link on HN to see how vehemently opposed people are to paying for stuff like news.

So that means consumers have chosen to forgo their privacy to avoid paying money for content. Why can't I make that choice myself?

Why doesn't MC Donalds sell pizza? (I know they did at some point and gave it up). Because their customers don't want it, or at least not enough of them do.

"Subscribe or fuck off" is a stupid business model when it costs practically nothing to implement multiple revenue streams. This is such an obvious point.

That is what Washington post does, I think. You can agree to tracking or pay money.

Well, saying it's ridiculous isn't an argument.

it's expensive and maybe non-viable for many websites. But it's not like all websites need to exist? There was a world wide web before cookies.

>There was a world wide web before cookies.

I like to think of that time as a great time too, but oh man so much we couldn't do.... I get what you're saying generally, but man I'd hate "before cookies" to be the standard.

The big use of cookies for re-authentication and carrying around a session id enabled clean URLs lacking your session id as a query param, but it wouldn't be that big of a deal to lose it. You'd need to be careful with copy-pasting URLs -- but given browsers standardized on cookies they could have standardized on a sessionId param name to filter out of copy-pastes or not even display it at all similar to Chrome's proposal to not display the protocol, just a "secure" flag or not. A similar "session context established" flag could have been made. And in the age of password managers and/or having your browser remember your login, it wouldn't be that much of a loss to require logging in to everything again every time you restart your browser... maybe more of a pain with 2FA.

I don't really see it as "what we couldn't do" but "what poor usability we have overcome". I'm glad we have cookies and other forms of local storage, especially for the latter there are many other benefits. Maybe one day we'll get Web SQL.

In the meantime people can still disable cookies entirely, or at least delete them when they close the browser, both with out of the box browser settings (and I have no idea what extensions are available to do even more) and return to that less-usable (if slightly more private) experience. The crucial idea of a "user agent" is I think the biggest mindset change the web brought, it's important to keep that even if on the dev side we constantly complain about being asked to support more than one configuration of anything.

>I don't really see it as "what we couldn't do" but "what poor usability we have overcome". I'm glad we have cookies and other forms of local storage, especially for the latter there are many other benefits. Maybe one day we'll get Web SQL.

Yeah I think that's accurate.

It's a little weird sometimes reading all these articles about cookies, JavaScript, etc and I always think "But I use those things to ... give people things, convenience, data, help them do things." But so many times it's not treated as a tool, it's almost implied to be a negative thing.

90% of web developers give the rest of you a bad name.

I really wonder if it is more 90% of really visible things give a bad name.

Most just do stuff nobody sees at any volume.

That’s a good point. One bad web developer at, say, Facebook cancels out millions of people working on less visible stuff.

give people things, convenience, data, help them do things

Have you ever reviewed how little you need in order to do all those things, outside of third-party dependencies? Any second guesses at all?

I don't know what you mean exactly.

This will work until the EU in decides you must ask the user permission before you can change the query string. Technology was not the cause of this problem and it won't be the solution.

The WWW before cookies was pretty limited, and didn't last long. I mean, the first web browser was released in 1990, and cookies were introduced in 1995.

We didn't have e-commerce before cookies.

There was e-commerce before cookies.

The same functionality of correlating multiple requests for a single request (building sessions upon packets) was just more difficult to use by encoding the session ID as a parameter in query string for each request. Many frameworks still support this mode.

Cookies pre-date SSL, so how were they securing that e-commerce that existed before cookies?

Nobody cared. I submitted CC numbers over http connections for years in the late 1990's. I emailed them sometimes, too. I also used telnet across the public internet and never got my passwords sniffed or mitm'd (only on hacker meetups where I would lure people into honeypots by doing fake telnet sessions :) )

By using secure networks? PPP is older than SSL and have been in widespread use for longer time.

SSL is largely irrelevant to banking security anyway. Actual security is built upon charge-back system. The underlying security model was designed when everyone trusted written checks.

Does placing an order on a website, then sending a check in the mail still count as e-commerce?

you can actually have an ad without tracking you know that right?

Believe me they are getting paid, read surveillance capitalism for the real story, http://www.shoshanazuboff.com/new/recent-publications-and-in... stop deferring your choice! to big technology monopolies, tell them stuff their cookies where the sun don't shine.

>So websites are supposed to just absorb the cost? That seems like a ridiculous stance.

The €0.00002 it took to serve that one page just because the user doesn't want to consent to cookie placement/tracking? Is it really that harmful?

NPR seems to do this just fine for GDPR reasons: Decline and Visit Plain Text Site

The cost to serve the page is a misleading number to use. You also have to factor in the cost to create the content, manage the service, etc.

I mean, by your argument, all digital goods should be free, since it never costs much to transmit the bits.

My argument was one user who requested one page and didn't want to consent to cookies/tracking in order to offset the ridiculously low cost of serving the actual page (I'm considering the cost to make it as having already been burdened, as it's already being served).

The OC didn't consider the fact that you can have advertising without cookies/tracking/fingerprinting and just reduced it to absrudism by saying that the company would bear the brunt of the cost but even the cost of that single event is marginally insignificant, overall.

So, no, my argument was never about all digital goods being free. However, if we want to play the devil's advocate and utilise your reduction to absurdism: By your argument, shouldn't all digital goods be paid for...? For example, Ubuntu costs money to host and serve, yeah?

In fairness it can add up pretty quickly on popular sites.

I do love NPRs approach though.

>In fairness it can add up pretty quickly on popular sites.

Aye, if they're only looking at it from a "cookie placement/tracking or nothing" hard-limit perspective, which is what the OC posited it as.

...but if other sites can absorb the costs, case in point: NPR, why is it such a dastardly evil thing to point out? Is there some foolhearted belief that if we cut tracking, tomorrow, the internet would cease to function? Is there absolutely no room for advertisements without cookies/pixels in the modern world...? Do we really believe that it's that expensive to serve webpages?

of course it's not expensive to serve pages. but creating content and services that are worth serving can be pretty expensive.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact