Hacker News new | past | comments | ask | show | jobs | submit login
Yes, This Site Uses Cookies, Because Nearly All Sites Use Cookies (techdirt.com)
10 points by caution 15 days ago | hide | past | web | favorite | 17 comments

I know how to solve their problem. If they only use cookies for the reason written here (to remember preferences) they should not need to store any cookies as soon as I just visit their site and therefore they should not need to show any annoying text about cookies until I change any preferences.

But for some reason they did send two cookies to me when I just visited the site without doing anything.

And "because other sites do it" is not enough reason to use cookies.

Or, it would just be safer to put up the cookie banner to avoid confrontation with others without such a nuianced understanding of the cookie law.

I could imagine cookies being implemented by the browser in the same way that webcam permission is requested. Something along the lines of "this website is requesting to store cookie "domain;X with purposes Y". This would make setting millions of cookies a UX sin, and cookies would only be set on predictable user interactions such as logging in. Unfortunately the definitions of "purpose" will still need to be defined by regulation to be enforceable. Once you can identify a user, there's no technical limitation that can prevent tracking.

It used to be the case I distinctly remember IE during the Windows 95 era and maybe 98 as well popping up questions asking you if you want to accept cookies.

The whole cookies acceptance pop up was also in the original cookies spec somewhere down the line browsers stopped asking mostly due to the fact that sites got dependent on cookies more and more especially in the early days where there was little to no session management on the server side so you had to either use cookies to store all the state information or encode it into the URL and have your CGI script parse through it.

I was there, and it was one of the first thing for which you clicked in the "yes and don't bother anymore" tick to make the dialog silent in the future. It was kinda pointless back then, but also there was no data protection law, and data collection and profiling was not a thing.

So, what if those dialogs would come back? Maybe with a more user friendly UI to accept site's ad tracking cookies or not, and remember the choice for the future? Would user care about them? would browser vendors care about them? would sites acknowledge the choice made?

I looked a bit closer at their cookies. The two cookies that they send are called "__cfduid" and "tdukey". Both of them look like hash values.

__cfduid seems very random. It changes every time I reload the page.

tdukey stays the same. Even when I remove it or use a different browser it comes back to the same value. When I connect through Tor it gets a different value. When I click "new circuit" in Tor it changes to a different value. So it looks like this cookie is a hash of the IP address you connect from.

__cfduid is a CloudFlare cookie it’s a randomized hash of your IP address to prevent it from being blocked by other users on the same address.


TDUkey is likely the one that holds the persistent IP value hash for the randomized one to work correctly.

The problem is not using cookies, it's collecting personal data about users, which is aided by cookies. This requires active consent in Europe, which this website does not allow.

If I'm not mistaken, you don't need to have a cookie banner if you only have essential cookies.

You indeed only need to seek consent when there is no other legal basis for collecting user data. Other legal bases include fulfilling a contract with someone (shipping something to their home) and if it's a vital interest (like saving the person's life by looking up their blood type by their name in a database).

On the other hand, GDPR also says you have to inform the data subject about the data processing, who you are, their rights, etc. Whether a link to the privacy policy at the bottom is enough, I don't remember off the top of my head, but I think so.

At this point in time sites will put the banner "just because", or even for satire/ironic purposes (like the late '90s "best viewed with any browser" banner)

what if wothout the banner an overzealous bureucrat tries to extort you some money for an alleged GDPR violation? what if the news will cover that your site is being investigated for GDPR violation?

> they seemed to indicate that because we still use other types of cookies (again, including cookies to say "don't show this person any ads"), we had to put up the notification anyway.

A cookie like "show_ads:false" contains zero personal information.

GDPR does not regulate cookies and does not require cookie banners (search https://gdpr.algolia.com/ for “cookie” and you’ll get no article hits).

It does, however, say that you own your own personal information, and your permission is required before it can be used.

CCPA is toothless and offers no PII protections (and definitely does not require a cookie banner).

Complete lack of understanding of the law

And some sour grapes to top it off

why isn't there a standardized API, to voluntary tell websites "I don't mind cookies" and bypass those messages?

Perhaps it's time for browsers to step in, and ask for permission just like when sharing location settings.

That is just what they did

I think, when I used the Internet Explorer, version 5 or so, for everything, there was a setting to ask before setting any cookie

Why we ignored P3P policy proposal by IE6?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact