Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: A way to adblock “we're using cookies” popups?
668 points by rayalez 22 days ago | hide | past | favorite | 338 comments
Whatever the intent of the GDPR was, the practical result is that now I have to click away the annoying "we're using cookies" popup on every website.

Is there any way to do this automatically? If there isn't - there should be. Maybe people should use some special tag for them, so that it would be easy for users to block them on all the websites, if they want to.

If you are already using ublock origin go to settings > filters list > annoyances, turn on easylist-cookies.

I am amazed, at how much that annoyed me, too - and why I never bothered to find out, that ublock origin has this as a hidden feature. Awesome. I just also turned on all of the other annoyance settings. Is there a good chance of real content getting removed, on occasion, or do they work quite good?

It's pretty easy to make your own, too. I use the element zapper and picker to block Reddit's incessant demands that I use "new" reddit and get a "premium" membership. I also use it to block Facebook's "trending" bullshit.

Either an element zapper or a one click sticky-header killer should honestly be standard issue features in browsers nowadays. The web would be a miserable without them, especially on mobile.

I'm just concerned that's inviting an arms race where unwelcome page elements get randomized CSS namespaces. Fuck that noise.

In that case we could just match by the CSS rules' content - i.e. match all elements that have style X, Y, Z applied to them. That kind of arms race would be over real quick.

The arms race is that the next time you come back to the page, the offending element has a slightly different style (randomized CSS class name, RGB values changed by 1, font size changed by 0.1...) and your browser doesn't recognise it as being the right element to block.

Match by ranges so changing values by 1 doesn't work. At the end of the day a human would have to come up with an entirely alternative style for the page to defeat your filters.

Pretty much any machine generated variations can also be defeated automatically by a machine. If defeating your filters takes a lot of work, and only helps until a few days later you update your filters in a few minutes, nobody is gonna bother.

Whitelist, not blacklist.

Which whould break CSS minifiers, but that's the point.

That's already the case with sites like Twitter. In order to remove the trending pane in uBO, I had to rely on a11y attributes:

##div[aria-label="Timeline: Trending now"]

I hate to tell you this, but we're already there.

You can have filters that look at parent or child elements of the randomized element or other patterns.

And random structure to break nth-child selectors.

Even better: draw everything in a canvas.

One-click sticky-header killer via JavaScript bookmarklet


I activated all the options in uBlock Origin a couple months ago and didn't miss anything so far. Of course when I visit a new site it's hard to know, but the few times where a site was obviously missing some content it turned out to be broken in general.

So I would say the filter works pretty well, I didn't get a single popup of any sort ever since.

I have had all list except the extra languages lists enabled for a couple years now. Online fast food ordering sites (e.g. Chipotle) are the only ones I've noticed get broken.

> Is there a good chance of real content getting removed, on occasion, or do they work quite good?

Yes, I sometimes get some real content removed. If something looks strange, I temporarly deactivate uBlock. Last time it was a GDPR checkbox at a store checkout.

Normally I disable ublock if I'm actually buying something from a website exactly for these sort of issues.

Or just use a different browser/Firefox-profile which still has uBlock Origin installed but with only the default filter lists...

OMG. Why have I been wading through the interweb of annoyance all this time?

It’s amazing how much of a difference this makes. I was starting to find the web so hostile. Every page an annoying battle with cookie pop ups.

I am so genuinely happy

Or cookie consent block list https://www.i-dont-care-about-cookies.eu/

Yup, I use this one as well, and it's fantastic. The developer is a nice chap as well, and can give you an invoice for your donation.


I sure hope you were joking.

Does this automatically remove the element and give no feedback to the site, always give the site permission to set cookies, or always deny the site permission?

Legally I haven't given affirmative permission so they're not allowed to track me. The same if I just ignored the cookie banners (which is what I did... until 2 hours ago when I saw this post).

Practically I assume most of the sites are breaking the law, because that's how I expect webdev's to think and because most of the cookie banners aren't nearly up to spec to satisfy the law so I assume they aren't being that careful.

The Irish data privacy regulator recently did a sweep of 38 Irish websites, reviewing for cookie compliance. Two-thirds of websites were found to be relying on "implied consent" and 37 were found to set unnecessary cookies on landing before consent was given. Overall only 3 websites were rated as "substantially compliant."

Further reading: https://www.dataprotection.ie/en/news-media/publications/rep...

Every site involved will say compliance is too difficult or whatever.

What I wonder is, if you're not going to bother being properly compliant, why bother adding a GDPR banner at all?

Because your boss has a boss who has a legal adviser who tells him they have to have the appearance of meeting the requirements of the law/regulators. Compliance theatre. They all know it's smoke and mirrors but it ticks a box in someone's board meeting agenda.

Because there's a huge difference between being "blatantly non-compliant" vs "properly compliant".

I suspect most sites will get a warning first. I have a website myself with Google Analytics and I've never added a banner myself, I'll wait for the warning first, and I expect my users to have blockers installed if they're privacy-conscious.

If GDPR starts to be enforced, they’ll go after the low hanging fruit first.

You don’t need to be compliant, just more compliant than the worst.

I haven't tested but, as far as I'm aware unlock origin never sends anything back to a site, it just blocks content so I expect that it would just remove the element with no feedback.

tldr; uBlock Origin removing the html element containing the "we use cookies" banner is effectively the same as clicking "OK" or "Accept", even without notifying the site/server. If there are any exceptions, they are extremely rare.


Long answer:

The vast majority of sites that show the GDPR "we use cookies" banner remember you clicked "OK" or "Accept" by setting a boolean value, either in its own cookie or as a key-value in your session cookie's storage (whether stored client-side or server-side). The ONLY thing the boolean does is determine whether or not to show the banner. That's it. I've never known of a company or site that changes the privacy/retention behavior of its features based on clicking "OK" or "Accept".

As I understand it this solution doesn't follow the law, as users are supposed to be able to decline cookies and somehow still maintain state; the lawmakers don't understand a session is necessary for things like logins, so of course companies compromise with a simple banner that you need to accept/dismiss to "grant permission". When was the last time you saw a "Decline Cookies" button? If you click it, does the site work as expected? Answer: probably not, or the site uses the same cookie/session strategy anyway without telling you.

Source: I've seen dozens of such implementations, and they're all the same. If the cookie/session value indicates not to show banner, then the layout/view simply skips outputting the banner. No other line in the entire code base ever reads the value of that cookie/session.

> as users are supposed to be able to decline cookies and somehow still maintain state; the lawmakers don't understand a session is necessary for things like logins

The lawmakers do understand that, you are allowed to use sessions and cookies for essential tasks like tracking login state, and no popup is necessary in this case.

I wouldn't be shocked if you are correct and many devs are indeed completely ignoring the legal requirements here, but that may be in part due to developers not understanding the legal requirements or believing incorrectly (as you seem to) that the requirements are not technically feasible.

A simple, GDPR compliant solution would be a tickbox for "remember me across visits" next to the login form. If ticked you get a persistent cookie, if unticked just a temporary session that goes away when the browser is closed. No popup is needed.

You don't need a tickbox either if it's just a login cookie.

Thank You. This is new to me.

If login Cookies are allowed, and your login site already has your profile hence your Ads preference. Why do they still need to use cookies banners?

IANAL. It's not about cookies per se, it's about your information and what it's used for. If your information (e.g. a unique ID) is used for something you want (e.g. login), that's fine. If they want to use your information (could be the very same information, i.e. your unique ID / user profile) to track you, advertise to you, sell your profile to advertisers, ... they need extra consent for that.

Just in case they get sued.

..while their ads preference dialogue has pre-checked options which is clear violation of GDPR...

> users are supposed to be able to decline cookies and somehow still maintain state

GDPR only applies to non-essential tracking & advertising cookies. Login cookies are always allowed, and you don’t need a banner to state that you use those.

Is this true? What about shopping cart cookies, especially as a 'guest'? Does that need Cookie op-in, legally?

"the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent."

If the site's using a common framework, convenient and essential uses will be combined in a "session id" cookie which needs re-developing, or just slap a cookie warning on it.


We can look to the GDPR text itself to answer that. Is the cookie there in order to create a profile with other information in order to identify a natural person. If yes, then the company is required to treat that cookie identifier with the same care and requirements as other sensitive personal data like social security numbers, passport numbers, personal ID numbers, and so on.

Law is fuzzy by nature, but it seems pretty clear that a shopping cart cookie is exempted from needing consent. Functionality of services that are expressly requested by users do not need consent, and in this case we have users that want to put items inside a cart in order to buy it. If that creates a profile on the server, and that profile is combined with other information, and then used outside the scope of the customer relationship, then we are moving into the area where consent is needed.

We can draw a parallel to data collected offline. A person go to a store and talk to a sales representative about buying a product and having it shipped home. At what point do the sales person need to ask for GDPR consent? The answer is likely the point where the sales person saves a profile of that customer on the computer, and the profile is intended to be used outside the context of that purchase.

Thank you - clear breakdown there!

Which sounds a lot like the "DNT" (do not track) or Microsoft's "P3P" (Platform for Privacy Preferences Project) headers. Which both failed, because if companies were required to respect those standards, all advertising and tracking would be extremely easy for users to opt out across the board as a single global preference.

The problem is that each site can choose its own text to display, which buttons/options it shows, and how those settings are supposedly enforced. This doesn't belong in the html of a site. This is exactly what a cross-browser preference should be doing. Which should probably be a modern–and most importantly standardized equivalent–of the P3P header. Every site should have a static set of options it can request, so users are used to accepting or declining the same set of permissions regardless of the site that is visited. Otherwise agreeing to the per-site cookie banner is just as convoluted as expecting users to read Terms and Conditions policies. I have never read the text in a cookie banner, and I never will. I click the OK/Accept button immediately, just like any T&C/ULA.

Imagine if requesting webcam, microphone, notifications, or gps/location permissions were possible by a site including its own custom banner, and if you clicked OK/Accept, it immediately got access to those features. Of course browsers don't allow this, because sites would abuse it and trick users into granting permissions when not desired. Instead, your browser provides a standardized prompt for requesting such permissions. There is no reason for tracking cookies to be exempt from being required to follow the same model.

The trick of the GDPR vs those browser technologies is that there’s actually regulation because obviously the industry can not be trusted to self-regulate.

Indeed, there should be an enforced UI, but that’s not how the EU tends to regulate on privacy, and without EU regulation none of the companies currently trying to entirely ignore the GDPR will use it. They have put out guidance that some current attempts at pretending to comply are illegal, and I expect to see fines regarding that in the next couple of years - the difficulty is creating a solid case that isn’t going to undermine the GDPR through case law. I wonder, though, if there were a dirt simple API for consent in the browser, whether independent developers who would honestly like to comply would use it.

I have been increasingly seeing cookie banners that provide more options than just the typical "Ok" or "Accept" buttons, such as a more restrict cookie tracking configuration. Not sure if selecting the more restrict config will have any effect in those sites though, besides just hiding the banner in future visits.

And for the ones that still pop-up, you can manually filter that DOM element and save it on your rules.

Make sure to report unblocked cookie banners to the Easylist developers


Ya, and it seems like about 20% of sites use cookielaw.org, so filtering out that domain is a good start.

This is fantastic, can't believe I've not used that setting before...

Thanks. This should be turned on by default.

That would place the plugin authors in a potentially dicey position legally-speaking.

The publisher is trying to adhere to a law (for better or for worse) by giving the user visibility into technologies and data usage.

A plugin hiding that by default can lead to all sorts of nastiness.

Hiding the popup simply means the site cannot legally set unnecessary cookies. Which they don't if you just ignore the popup or click its close box. That's effectively all the plugin is doing, so it's a perfect solution. It might annoy the site owner, because they would really like you to click "Yes" but it's perfectly legal for them to never get that "Yes" and just never send you cookies.

> Which they don't if you just ignore the popup or click its close box.

The majority still sets the cookie, by using implied consent. In best case they don't set anything if you Decline but most don't even do that. The banner is then merely an information popup about cookies in general.

Example: https://news.ycombinator.com/item?id=23523294

Yes so the website owner is in a dicey legal position, not the plugin author.

Yes, but the statement that simply ignoring the cookie banner will result in no cookies being set is still wrong. The reason being that almost no sites are compliant.

They are violating the law. There is no implied consent, except in the mind of people whose income depends on there being such a thing.

I know. I'm not saying it's compliant.

For those using Brave browser: Go to brave://adblock and select "Easylist-Cookie List - Filter Obtrusive Cookie Notices"

On a related note is there a good plugin that blocks those annoying "would you like to subscribe" type floating popups? I feel like we've gone back to 1996 with those things. Often when I get one of those my first gut reaction is to leave the site rather than search for the "X" button, but now almost every site has them.

When shopping though those newsletter sign ups often give you 10% off.

I don't know why I never looked this up. Thanks!

One downside is that some apps refuse to work until you make a choice in the cookie pop up. So if you hit a site like that you need to:

* Pause your blokcer

* Reload the site and accept/deny cookies

* Resume your blokcer

Thank you! I can't believe I haven't looked into that until today. I could not care less if a site uses cookies, but the notice was always super annoying.

I was doing it manually every time like this ;

Right click on ad / pop up -> Block Element ( a rule is automatically generated ) -> Create. Voila ! You might have to do it 2-3 times for the same element as it might have several layers. But then you're done and you haven't been forced into clicking "ok"

( With uBlock Origin )

You're my hero, thank you so much! I never even knew about these settings.

Wow. Thanks, this was massively irritating.

It must be the sites I go to, but I've always had this enabled, and I still get plagued with Cookie requests. :(

Thank you, I wish I had known this 5 years ago.

The EU cookie laws were well-meaning, but have had the unintended consequence of making the web more annoying, more difficult to use, and more fragmented. We shouldn’t have to resort to ad blockers just to make the web usable again.

The solution? Cookie consent should be a built-in feature of browsers and http, not something that is reimplemented in a slightly different way by every single website.

Your browser should pop up a standardised cookie consent request when you browse a new site, and enforce your selection as part of its security policy. If you choose to block all cookies (ie: private browsing mode) then the cookie consent request wouldn’t need to appear at all.

The law intended to restrict profiteering off of user behavior. Companies did not intend on having this profiteering limited, and would rather lower themselves to dark patterns and degrading the user experience.

It goes to show what the real world incentives really are. The only way to get this fixed is to more specifically regulate user tracking and online advertising by tracking. There will be people who decry this, but the advertising industry has brought this on itself.

I hope EU can soon do a "Oops, we messed this one up. We're going to remove this requirement and work with browser makers on an updated set of requirements."

The whole world shouldn't have to deal with the burden of one bad decision from EU. There should be a way to petition this. Imagine if this had happened due to a decision by some country like China.

Web has been well broken already, at least EU tried something.

I think it should be "Oops, this hasn't worked as planned and has been abused, let's try Y instead now"

Unfortunately, that’s not how the EU works. Humility isn’t exactly their strong suit.

Some of the most ardent proponents of GDPR have been quoted as saying that implementing its requirements is so easy that they themselves could do it and that people simply should stop complaining.

Isn't that the point of the `DNT` header: https://en.wikipedia.org/wiki/Do_Not_Track ? If I set it on my web browser, I'm telling web server that I do not consent to being tracked. So they shouldn't ask?

Unfortunately DNT is dead in the water, and has been for some time now. You are likely making it that much easier for yourself to be tracked because so few people go out of their way to turn that on anymore. An excerpt from the Tracking Protection Working Group mailing list[1]: "the TPWG working group then decided at the W3C technical plenary on 2019-10-24 to close down".

Further than this, the corporations that are tracking us actively would like you tell you they don't care about DNT, and they've no obligation to respect any DNT user[2]: "The DAA does not require companies to honor DNT signals fixed by the browser manufacturers and set by them in browsers. Specifically, it is not a DAA Principle or in any way a requirement under the DAA Program to honor a DNT signal that is automatically set in IE10 or any other browser." This is point blank saying that DNT may as well be used as another way for you to be tracked, from one of the biggest places for advertising online. This is an international discussion; it's not just companies in the US[3] that feel this way either.

[1] https://lists.w3.org/Archives/Public/public-tracking/2018Oct... [2] https://digitaladvertisingalliance.org/press-release/digital... [3] https://youradchoices.com/participating

> Cookie consent should be a built-in feature of browsers and http

Didn't we have that from day 1? A browser is free to disable cookies.

Browser only allow consenting between no cookies, first party cookies and all cookies.

The EU laws are more concerned about the intent of the cookies. Are they functional cookies or tracking cookies designed to reduce user privacy.

The consent dialogs are not part of the browser, which is the issue because there is no standard way to block them

Disabling tracking cookies is not the same as disabling all cookies though.

Has anyone here been involved in the lawmaking process? I’m curious to know whether the lawmakers had a good grasp of the technologies. I’ve always suspected the cookie law was written by a technocrat, clueless as to how the targeted technology actually works — but I’d love to be set right.

I’ve worked for the EU parliament, but not on this specifically.

The people working on any given law (regulation) tend to be well-informed, and so are the parliamentarians that take lead roles on an issue.

Part of the problem here is that websites are less-well informed on the law: session cookies, for example, do not require a warning IIRC. But many websites using only those needlessly ask for permission.

One mistake in thinking by lawmakers was to assume that websites would chose to forgo third-party and long-lasting cookies in cases where they are of marginal utility. This obviously didn’t happen, partly because everyone started using cookie warnings and they therefore became normalized.

It should be noted that unlike the previous iteration, the current warnings ask for consent and tend to include a not-too-difficult-to-reach option to deny it.

I believe many people (and parliamentarians) that are passionate about privacy issues would also argue that the current situation is still better than quietly using your data. If you value privacy high enough, it rather quickly outweighs any annoyance, even if the latter is far more prominent in daily life.

The cookie laws have done quite literally nothing to aid privacy. As a top level comment states, browsers are much more apt to handling this than forcing websites to. Furthermore it is singularly more painful to consider that most websites do not exist within the EU.

Like most of the laws sponsored by these lawmakers they are technically useless and act as little more than a hook to allow various governments to arbitrarily penalise companies they don't like.

Literally no one voted for an MEP hoping for regulation of cookies on their browsing.

Thank you for this angle. This may have changed, but when I studied EU Law about eight years ago, the Parliament didn’t actually pass laws (despite the name) — I believe this was reserved for the Commission, who are unelected. If that’s right, how can we know if the Commission members who worked on this actually had a grasp of the technologies? (Real question, not rhetorical).

Only the Commission gets to initiate legislation. But after that, a majority in parliament is needed and parliament is allowed to and regularly does amend the text. “Amend” shouldn’t be interpreted to mean “lightly edit”. Any given paragraph is more likely to be changed than not in this process, and on at least one occasion parliament just replaced the entirety of a bill.

The commissioners vary widely in competence both generally as well as in relation to their portfolio. There are legitimate superstars such as competition commissioner Margrethe Vestager. People disagree about some of the targets of her investigations. But even her worst critics are apt to lament her ability to get thinks done rather than doubt her skills.

Then, there are commissioners decidedly lacking in competence, at least in regard to their portfolio. Günther Oettinger is a prime example here, and he was bound to head the digitization portfolio but was thankfully booted from the commission by von der Leyen taking up the German spot. These are usually long-time politicians who for some reason or other make an awkward fit for any national position, but are still too powerful within their national parties to be ignored altogether.

Then, there are actually corrupt lowlights. There are far fewer of these than people assume. Look for a Maltese flag to improve your chances if you’re looking for them.

Of course all of them have staff, which does the actual heavy lifting of writing bills (among other things). I hesitate to judge their skills on any absolute scale. But, purely subjectively, I’d say these teams are at least as good as any delegation from Germany, which are generally regarded as top-notch, but in my experience often carry along some bad apples they can’t get rid off because of tenure or whatnot.

I don’t know the people who worked on GDPR. You can expect them to have the internet skills of any 30- or 40-year old high performer, with a degree in law or the humanities more often than STEM. So they are unlikely to have programming experience, but do probably know what cookies are.

I’m somewhat struggling to come up with examples of technical knowledge that may have been missing here. In fact, I could probably summarize everything I know about cookies in less than five minutes. And while I probably lack some details, I doubt it would include anything of relevance to this legislation.

Better yet, there should be a setting to block cookies on all sites with a selective opt-in for sites you want tracking you

From https://discourse.wicg.io/t/proposal-show-gdpr-popup/3433/4 (from https://github.com/whatwg/meta/issues/126 )


> This puts browsers in the direct path of legislation in any given country’s demands. Features in browsers should be based only on user needs. Only when a law absolutely targets browsers should they do anything regarding legislation.

[Edit] remove the code block

Please don't quote in code blocks.

This is yet again a misunderstanding of the GDPR thanks to the tons of bad advice around it.

The GDPR requires consent for tracking technologies for non-essential purposes. It can be cookies, but is not limited to them. Local storage or browser fingerprinting fits the bill as well.

Moving the cookie consent management into the browser won't fulfill the intent of the law - sure, cookies are now disabled by the browser, but what about fingerprinting or server logs? A compliant site will still need to ask for consent for those.

When it comes to user experience, the regulation explicitly sets rules around how you ask for consent. Consent should be freely given so that users are not forced to opt-in (you can't force them to accept, so cookie popups where opting out is not possible or "by using this site you agree to our use of cookies" notices are not compliant). Tracking should also be opt-in, so pre-ticked checkboxes or where the flow to accept is easier than the one to decline (one click to accept, several clicks to decline) is not compliant either.

Finally, functional cookies such as for shopping carts or logged-in user sessions are explicitly allowed without requiring consent nor disclosure.

The problem here is not the design of the law but the lack of enforcement of it. All those obnoxious sites where you'd want to ad-block the consent popup are not compliant by default and should be fined. If the law was enforced we'd quickly see changes around this and consent popups would become unobtrusive.

IIRC, several sites actually got fined early on for using unobtrusive cookie pop ups, as it was ruled that people weren’t likely to notice them and therefore they didn’t count as “consent”.

Unobtrusive popups are fine as the regulation also mandates tracking to be opt-in, so if you don’t notice nor interact with the popup then you don’t opt-in and there are no problems.

History shows that the worst decision are "we wanted good but didn't consider the consequences". Compare and contrast with FOSTA to prevent sex trafficking (https://www.eff.org/deeplinks/2018/12/congress-censors-inter...).

> “Anyone who thinks that the Communist regimes of Central Europe are exclusively the work of criminals is overlooking a basic truth: The criminal regimes were made not by criminals but by enthusiasts convinced they had discovered the only road to paradise. They defended that road so valiantly that they were forced to execute many people. Later it became clear that there was no paradise, that the enthusiasts were therefore murderers.” - Milan Kundera, The Unbearable Lightness of Being

This definitely seems like the right solution. I wonder, did the EU even attempt to collaborate with web standards organizations and browser makers while crafting GDPR?

The way GDPR is written is partly consequence of the way cookie law treated. E.g. it is more about intent and data.

The problem is that they are not actually "cookie-consent". They are "track you for profit" consent. It is a misconception that is encouraged by the whole web advertising industry but there is no need under GDPR to get consent in order to use cookies for necessary features, such as an authenticated session or user preferences. You'll notice these prompts always have a link for "more information" where they explain what their actual intentions are.


Go on then. I'd rather have my privacy in their interests so predominantly American companies have less pow we to spy on me.


Perhaps he understands things you don't. Like that living standards are falling since low wage jobs have to compete with a substantial part of the former Eastern block.

Doesn't affect the rich (yet), of course.

>The EU cookie laws were well-meaning, but have had the unintended consequence

This is all government.

I'm not sure why we keep expecting anything other than regulatory capture with government intervention.

That is the way, but there's no need to install an extension just for it. Just add the IDCAC filter list to uBlock Origin (uBO settings => Filter Lists => Import, at the very bottom):


Also on that same page you can enable some of the 'Annoyances' filters. Just be aware that some of them block social media buttons (FB/Twitter like/follow embeds), which you may not want.

There's also an EasyList filter list just for cookie notifications: https://easylist-downloads.adblockplus.org/easylist-cookie.t...

Isn't uBlock Origin an extension?

Yes, but uBlock and can do everything IDCAC can do, and more, so there's no point in having both installed.

Sure but what if you only care about cookie warnings and use site that are supported by ads?

Technically speaking, uBlock origin is not strictly an ad blocker. It is a general purpose content blocker; it will block whatever content is matched by its block lists; and it happens to ship with ad lists enabled by default.

Of course, practically speaking it doesn't just "happen" to block ads; that's a major motivation for its development, and so we usually just refer to it as an ad blocker.

To answer your question directly: if you want ads and no cookie popups, disable the ad lists and enable the cookie popup list.

Yes, at that point you may as well just install the other addon, but the uBlock method preserves a key advantage: the ability to combine multiple cookie popup block lists. This is useful in case several people are making lists that cover different corners of the internet.

Tangential question, but I would love to know if a group of people who prefer ads but not cookie warnings exist? Do they rank supporting the website above minor inconvenience of pop-ups and advertisements? That's gotta be a unicorn in terms of internet users.

Uh, I'm in this group.

I think that if I'm visiting a website and using its bandwidth, the website ought to get paid. If the ads are too egregious, then using the website isn't "worth the cost" and I go to a different website.

I do however pay for Scroll[1], and I use Firefox's Enhanced Tracking Protection. Due to the latter, many websites think I'm using an adblocker and complain, which really irks me.


1: https://scroll.com/

You don't support the website by seeing ads. The only reason why anyone is paying for ads in the first place is because it affects the bottom line. So if you just see ads and don't buy the things they are pushing, the price that advertisers are willing to pay will decrease over time.

Only when you make a purchase based on an ad are you supporting anyone. At that point you should just buy the better product and support the website by sending them money instead of buying a shitty product that has advertising priced in.

You'd be surprised if you knew how indoctrinated teens get in terms of not blocking ads on their favorite youtuber's channel.

I like ads. Instagram story interstitials are very enjoyable ads.

Whitelist the good sites? Given that the vast majority of sites run garbage and/or intrusive ads, auto-playing videos, etc. and I don't really care about supporting most of them, a blacklist-first approach makes sense and I just whitelist the very few on which I'll accept ads.

You can use sites that are supported by ads just fine with adblock. Why couldn't you?

It blocks ads, so the sites can't produce content.

You'd still be better to use uBO since it's the more actively developed software.

True, but IDCAC is more focused on cookies.

Using sites that are infested by ads is the very reason to use an ad blocker.

For some people. Others don't consider advertising to be evil.

Not sure why, but unfortunately using that list in uBlock Origin (latest Firefox 77) does not produce the same result as using the "I don't care about cookies" extension;

Example website for which blocking the cookie popup does not work with uBlock Origin: https://tweakers.net/

I don't get any cookie popup on that website, without the IDCAC extension or filter list. I'm only using the opt-in 'Annoyances' filters in uBO.

That's odd; it appears they are using a different cookie 'popup' depending on the browser/OS...?

I tested on Ubuntu and macOS with the latest Firefox (clean profile) and Chromium and i get the cookie popup/wall, even with ALL default uBO filter lists enabled, and also with the IDCAC list enabled in uBO. Screenshot: https://imgur.com/jcr4EuP

However i just tested with https://www.browserling.com/ which uses Windows 7/Internet Explorer 11 and here i do not see the 'cookie popup/wall' but instead i see a blue 'cookie banner' (which is easier to block with uBO.)

That's weird. I'm on Linux but enabled privacy.resistFingerprinting in about:config, which sets the user agent to a standard Windows one (same as Tor Browser iirc) and also brings over a bunch of other Tor Browser features. Only downside is it reduces timer precision which makes some games lag, so occasionally I have to turn it off for a bit.

I figured it out... they are showing a different cookie banner/cookie wall depending on the origin country of your public ip :)

Check out the homepage where you can find versions of the extension for other browsers: https://www.i-dont-care-about-cookies.eu/

That chrome extension has quite a memory footprint and seems to slow everything down... Haven't debugged, but my browsing sessions have been a lot less laggy since I disabled it...

That's the reason I disable it and install Ghostery instead. uBlock Origin makes youtube videos stutter at about the 2 second mark on my Raspberry Pi 3's (I don't know about the rpi 4's because I remove uBlock and install Ghostery as a default nowadays) and also my laptop, which runs Windows instead of Linux (so it's not just an OS issue.)

Ghostery doesn't have as many bells and whistles, but it does greatly minimize the main annoyances out there, and it doesn't slow anything down noticeably.

It might all be a moot point by this time, since Youtube has changed how they load in such a way that it stutters no matter what because it is so busy downloading absolutely every item on a page all at one time instead of prioritizing the video stream like it did about a decade ago (back when you could pause a video and it would download fully even while not yet playing, thus avoiding the bottlenecks altogether...).

Ironically that puts me back to pausing everything first just to give all the useless off-screen crap enough bandwidth to load without ruining the video experience.

No matter how much faster technology gets, they find a way to make it more and more sluggish every time.

Ghostery is the one which reports your browsing history to advertisers (by default/opt-out), and also shows advertisements of its own.

Not recommended over uBO.


I haven't seen any ads, except Twitter's sponsored posts. It is possible/probable I set the right setting back when.

Since Youtube chokes anyway nowadays (I did manage to stave it off for a few years), I might as well go back to uBO.

You may have better luck using vlc / mpv to play YouTube videos on the pi.

Even with uBO, Twitter's ads still show up for me.

The ads I get on Twitter are at least related to my interests, and sometimes are new things that are right up my alley (like new Rasbperry Pi gizmos, and that Turing Tumble game), so I don't even mind. They must have a lot of advertisers to be able to be that specific.

For the record, this section of Wikipedia seems pretty outdated. Ghostrank has been removed from Ghostery in 2017 after Cliqz acquired Ghostery and the extension was open-sourced.

(Disclaimer: I worked there at the time)

> uBlock Origin makes youtube videos stutter at about the 2 second mark on my Raspberry Pi 3's

If uBO is really responsible for this, you should probably check the box "Ignore generic cosmetic filters" in "Filter lists" pane. For instance, this is the default in Firefox for Android, I consider it's best for less powerful devices.

I'm going to try that. It's definitely uBO because when I replaced it with Ghostery, the problem was gone. That's the same on all my pre-rpi4 devices and my laptop. If that fixes it, I'm surprised they don't just set it up that way by default in Raspbian.

But now it'll be hard to tell, because Youtube has changed the way it downloads stuff in the background without prioritizing the stream. uBO definitely blocked a whole lot more noise than Ghostery does.

Try disabling generic cosmetic filters in uBlock.

So you mean government involvement in tech both didn’t serve its intended purpose and its an annoyance to the end user? I would have never guessed....

The government doesn't enforce cookie banners. They enforce that there shouldn't be tracking. It's the tech companies who think it's worth while to annoy the users with coockie banners in order to be able to do more tracking (my assumption is that some make the banners extra painful as a way to steer anger towards legislature ...)

I mean, still, the practical effect of the govt legislation was to annoy countless people and waste who-knows-how-much-effort implementing the stupid banners.

To argue that this leglislation would've had a good effect in some hypothetical alternative world where businesses had different incentives is beside the point!

(Side note, if it were not for govt investment in the dentralized, open internet, we'd probably all be using some ungodly-advanced version or America Online. So I'm certainly not advocating govt has no place in tech!)

Another way of looking at it: the effect of the legislation has been to expose that just about every website tracks you.

Websites don't have to put a cookie banner for every kind of cookie. They have to show it whenever they collect identifying data about you. If they choose not to collect info on their visitors, then they don't have to put a banner.

With most of my customers the conversation goes something like:

- Customer: We must still implement that cookie popup before launch!

- Me: No. You don't have to. If we just disable SomePerformanceMetrics and GoogleAnalytics, we're done: we don't need a pupop.

- Me: who is using the performance metrics ATM? And who is acting on GA? How do you use them? Would this (shows three really neat Log-analyzers as alternative) suffice?

- Customer: We don't use them yet. But we might want to in future. And we then we might need all that data. So we want to start collecting it now.

Point is: you don't need Google Analytics, you don't need any of those 20+ tracking cookies if you actually look at it. But there's a lot a FOMO, combined with "but this is how we have always done it, so shut up".

There are some rare cases where GA, new-relic, tagmanager etc are really nessecary and none of the privacy-friendly (ie no-cookie-popup required) alternatives cut it. But those are rare. I daresay that a vast majority of tracking cookies is just there because the developers/business is too lazy to take a serious look at the problem.

Which is why I truly welcome more legislation that turns "collecting vast amounts of data" from "free" into a real and looming liability.

You should add this question to your set of questions: "Do you really want to report all your users up to Google, so that Google sees how successful your product is and can build a competing product?"

And yeah, doesn't work for all sorts of things, but as a site operator I would be careful in giving away that information out of self interest already ...

You don't even have to fully disable GA. You just need to disable individual level tracking, as far as I know.

I am no lawyer, but I was told this still is "third party tracking cookies" which is what the GDPR is about.

>Log-analyzers as alternative

You mean... no opt-in popup is required for logfiles? Isn't it also PII? IP + browser + timestamp + referrer? It's almost enough to identify unique visitors.

Yup, it's very similar to what happened with Windows Vista. Those security dialogs were annoying as hell, but the real issue was that most applications were used to running with way more permissions than they really needed. Windows 7 didn't get the flak that Windows Vista got, but the biggest difference was just that applications had had time to fix their permissions so they didn't ask for admin rights that they didn't actually need.

I'm just not sure how else it's supposed to work. The law says, "Can't track without consent." How else could that be put into place other than popups informing you of the use of cookies and asking for consent? I'm not trying to be a smart-ass, if someone has a better idea I'd be all for it.

Don't use tracking tools and advertising networks that hurt people's privacy and you're good. You don't need a banner.

Just don't track.

The reason why companies implement those banners is that a banner talking about cookies sounds much nicer than saying: We want to create a profile of every detail we can find on you and auction that out to an advertisement network, press OK here.

GDPR could have added a law against misrepresenting the profiling under the umbrella of a "cookie consent", but that would just be Whac-A-Mole legislation. Companies would just wrap the consent banner under some under pretense.

A govt legislation that would actually work in practice would be to ban the practice of collecting and selling personal data. No consent, no popup, just a law making it illegal. That would have the desired practical effect and no annoying banners would ever be written. It would also be much harder politically to get accepted and people would complain that EU are draconian for not allowing consenting adults to go into an agreement where they trade personal data for service.

Personally however I would prefer if EU did just that. Ban it. Make databases of personal data toxic to have and the liability if anything leaks be high enough that in practice a company like a news papers will do something else in order to earn profits.

> The reason why companies implement those banners is that a banner talking about cookies sounds much nicer than saying: We want to create a profile of every detail we can find on you and auction that out to an advertisement network, press OK here.

The reality is even worse. The site operators would have to say "we want to give your data to google and others so they can create a profile of everything you do online."

If an individual site would track how one navigates their site and see click paths that might be tolerable to some degree. (Till they use that to increase dark patterns like booking.com's "only 2 rooms left and 5 people looking at this") But giving it away, into central databanks is baaaad

Not enforce ≠ the law.

Liability doesn't work with a lack of enforcement.

> They enforce that there shouldn't be tracking.

Doesn't the 2009 ePrivacy directive exclude "strictly necessary" cookies [1], not "non-tracking" cookies? Like GDPR, I think no website wants to be the first to test what falls under "strictly necessary", under the EU directive and every country's specific implementation.

They really should have listed specific exemptions on the directive. Here's hoping that the new ePrivacy regulation will have them and/or just repeals the cookie popup.

[1] https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies

Government is deeply involved in tech and tech is deeply involved in government. There's major mutual touchpoints just about everywhere

Cherry picking an outlier, then attributing one side of the relationship as completely as fault and sarcastically implying it's generally representative isn't an honest depiction of reality.

I've seen lip service to this clear misrepresentation of reality my whole life. I don't let it slide anymore. We can do better.

The difference is that giving the government more power is inherently dangerous. I can refuse to use a specific tech company’s product a lot easier than I can refuse to be under a government.

A corporation doesn’t have the power of the state to threaten to take away property or liberty.

Of course they do! Private mercenaries, prisons, banks, repo companies, landlords, insurance providers, all kinds... of course they do. Corporations were initially an arm of the state to do state functions. They still do that today.

What corporations don't have is any obligation to cede to the public demand or be held accountable for their actions. There's no democratic control, no way they can be fired by the voter nor do they have any responsibility of transparency.

Voting systems, red light cameras, municipal water, nearly every aspect is controlled by private corporations shirking responsibility oftentimes for decades. Polluting a town's water supply and walking away pretending they didn't - there's even many well known movies about things like this with academy awards. Often the criminals get away with it having hid under the legal fiction of the corporation.

If a secretive unaccountable private corporation determining the outcome of an election and claiming the audit trail is a trade secret doesn't ruffle your libertarian feathers then there's something seriously wrong.

What you claimed is yet another silly thing I've been hearing my whole life. It's totally wrong. Any inspection would immediately reveal this

What corporations don't have is any obligation to cede to the public demand or be held accountable for their actions. There's no democratic control, no way they can be fired by the voter nor do they have any responsibility of •transparency.

How well has that whole accountability thing worked out for the police department and the American military? The justice system?

There's no democratic control, no way they can be fired by the voter nor do they have any responsibility of transparency.

Nor can judges with lifetime appointments.

Voting systems,

Where conservative states consistently disenfranchise minority voters by closing polling places, passing voter id laws but then make it harder for minorities to get an ID and they count gun registrations as valid Id but not college IDs...

Polluting a town's water supply and walking away pretending they didn't

See the government run water supply in Flint Michigan.

The US government has treated people outside the US a lot worse than it's treated its own citizens, in the last 100 years, yet anti-US government people in the US don't seem to talk about that. You don't get invaded, saturation bombed, napalmed, droned etc. Or your democracy replaced with military dictators given a load of weapons and torture training.

Still, why corporations are internally so much better by nature than governments, in that world-view, I don't see.

The banana republics were done for the banana company

The oil wars were done for the oil companies

There isn't this mysterious firewall between government and business. They're different departments of the same thing.

Nor is there any mutual exclusivity. The absolute dictatorship of Pinochets Chile is also where the most radical forms of Milton Friedman's free market capitalism was tried.

They're two interacting institutions of power that can exist in many forms. Free business doesn't guarantee free societies.

There is no silver bullet

I’m the first to call out the hypocrisy of people tsk tsking and saying destroying property doesn’t bring about change in the case of police misconduct but being the biggest supporter of the military that bombs other countries and kills civilians to “bring Democracy”.


Humans can be real bastards and governments aren't magical solutions just as corporations aren't magically evil.

The question is about who can be held more accountable, who can be more feasibly removed from power and what kind of institution can be more promptly remedied.

We as moral actors could potentially change the laws of governance probably far easier than we could form a corporation to defeat ExxonMobil in the marketplace. Both should be easier, but that's another discussion.

Both governance and private capital are imperfect and both deserve criticism. Being a fan of either is a mistake.

The US has a long history of not being “moral actors” when it comes to the rights and freedoms of racial and religious minorities and non straight people. Having a government that caters to the majority is fine if you are in the majority.

We just saw the government stripping rights of transexuals with regards to health care. What would they do if they had more access to data? If you were a Muslim America would you trust the government in its current state to have more access to your data?

I'm sure that will be addressed far faster than the 60 years it took to hold tobacco companies accountable, only possible through government.

You mean the same government that still hands out farm subsidies to tobacco farmers?


How many decades did it take the government to rule that it was discrimination not to allow gay people to adopt kids? Get pregnant by in vitro insemination? If you aren’t in the affected group it’s easy to tell those who are to be patient.

What's the point here?

Mine is there's endless propaganda depicting corporate America as bright shiny perfect perfection and government as slow clunky incompetence and I'm really really tired of the bullshit.

It's not academic, it's not scholarly, it's mindless partisan cheerleading, some kind of religious orthodoxy, a blind adherence to something that's obviously nonsense.

It's just endless streams of nonstop crap from places line heritage, hoover, heartland, aei, cato, they're overflowing bullshit factories. Enough of that nonsense already.

Governments do incorporated things and corporations do governance - they are different structures of cultural institutions that interact with each other all the time.

Well let’s see. In 25 years I’m quite positive that I have never been discriminated against when it came to hiring working in technology. That’s from working at some of the smallest companies to some of the largest. I can’t say the same when it comes to being stopped by police when I “looked suspicious”.

Given a choice between trusting Big Tech and Big Government. I trust Big Tech a lot more.

Non anecdotally, who were the first to recognize the rights of LGBTQ? The government or Big Tech?

The Kingdom of France 1791? Monaco in 1793? Prussia in 1794?

When do you want to start this? Maybe 20th century instead? The October Revolution in 1917, Poland 1932, Denmark 1933?

Oh you're talking LGBT protected class discrimination for employment! Pennsylvania, 1975, Wisconsin 1982?

Maybe you're talking about Bostock v. Clayton County(2020) which got to the SCOTUS because a private corporation, in 2019, fired an employee for being gay. That's how it got there, a private company not respecting LGBT rights.

So maybe you mean the courts? When was the first case in lgbt's people's favour? One, Inc. v. Olesen 1958. Nineteen fifty eight.

So yeah, probably government. Feel free to move the goalposts around if you want. I'm pretty confident on this on wherever you decide to place them

> * I can refuse to use a specific tech company's product*

This is less true than you might realize. Consider that if a friend of yours is on Facebook, they might upload photos of you and tag your name, allowing Facebook to build a profile of you regardless of whether you use Facebook or not.

Consider that credit rating agencies buy your loan history in order to rate you as a customer, regardless of whether you check your credit history with them or not. Consider that Google buys your credit card purchase history to build a profile of you.

Consider that Google takes pictures of your house regardless of whether you search for it on Maps. Consider that GM and Ford collect and sell your location data from your vehicle. Note that vehicles that don't do this are getting more difficult to obtain because the price of vehicles is becoming increasingly subsidized by surveillance.

Technology is ubiquitous. Not all technology is a product sold to consumers, and you don't always have a say in how it's used. GDPR covers all of the above situations. Its effect on websites is peanuts.

> A corporation doesn’t have the power of the state to threaten to take away property or liberty.

Automated systems are currently part of the decision-making process in hiring, firing, choosing to loan, choosing to rent, policing, and determining prison sentences. A corporation that offers "fraud detection" services has a surprising amount of power over your liberty and property.

...allowing Facebook to build a profile of you regardless of whether you use Facebook or not.

Why isn't there a law to prevent this while there's a law that accomplishes nothing except guarrantied annoyances? Is not the government that makes laws?

There is, it's called the General Data Protection Regulations. Its purpose is to protect consumers from companies that surveil and track without your knowledge and permission. You should read up on it as cookies are just a tiny paragraph.

My point is that it's the government that makes and enforces laws.

Government is responsible for both its own misconduct and companies'.

Seems a bit simplistic. I'm always surprised at how really smart people revert to tribalist sound bites when it comes to politics. Power is derived from the ability to successfully enforce it. Doesn't matter who has the power.

> A corporation doesn’t have the power of the state to threaten to take away property or liberty.

Questionable, and to the extent that this is true, it is because of power given to governments to ensure those rights.

You mean the power given to unelected departments like the FTC, FDA, etc that actually create regulations or the unelected judges with lifetime appointments or the unelected officials in the Department of Justice?

Those obviously need to be fixed. Finding egregious oversights in the structure of our public office doesn't immediately invalidate it because we have tangible, actionable mechanisms for fixing it.

Corporations on the other hand are effectively vestigial 21st century monarchies, with all the cost and benefits that comes with that.

I've ran a few small ones and believe in private industry. I'm not anti corporation, but let's call a spade a spade here. Believing in bullshit never helps you in a competitive marketplace, don't do it.

You mean fix one entire branch of the US government - the judicial branch. Or do you mean the Senate that has two senators regardless of population where someone in the Midwest has far more voting power than someone in a more populous state? Or do you mean gerrymandering?

It’s not libertarianism. It’s seeing the history of biased enforcement when it comes to the “War on Drugs” among other things but even with tech, we see the government would love to get access to data and in the case of the current administration “shut down Twitter”.

If the government had more control over the tech industry, who do you think they would go after?

The government could trivially shut down the internet.

They could easily raid the ICANN and IANA offices in playa vista and shut down global DNS in about an hour if they wanted. It's just a single floor, you could probably do it with 2 police officers.

The chains that bind them from doing so are those of public accountability.

A diligent public strangles the powers of a revanchist government.

Again I agree with you there are regrettable policies that should be addressed. Governance offers us that mechanism. That's why it's preferable as an institution in deciding public policy.

I'd rather have our imperfect government with their awful War on Drugs running the show than say Beyer, who marketed heroin to kids for mild ailments, or Purdue pharma which peddled opioids, you know, as late as last year, or the huxster Elizabeth Holmes or the price gouging Martin Shkreli or RJ Reynolds or any other profit seeking unaccountable entity.

Replacing the FDA with say a board of Shkreli, Holmes and Purdue? Yeah, I'm sure that'd go just great.

And there you have it. When drugs were affecting the inner city it was all about “lack of morality” and being “tough on crime”. But when it started affecting “rural America” it was “let’s blame the drug companies” and “treat it like a disease”.

I doubt people in the inner city or the people who “fit the description” wouldn’t feel the same way about the “War on Drugs”.

Some corporations will kill people if there's a buck to be made and then intentionally cover their tracks. Pg&e, ge, bechtel, nestle, exxon, rj reynolds, purdue, beyer, exelon...

The system as it stands is designed for people to "be as greedy as they can possibly get away with."

Then there's this theory that is everyone is exclusively a conniving bastard trying to double cross everyone and snatch profits by stomping on everyone else, the world will be a functional happy place.

Building a society by incentivizing what basically every religious text says leads to crime is a big mistake.

Some corporations will kill people if there's a buck to be made and then intentionally cover their tracks.

You have been watching what's going on with the police haven’t you?

We should encourage the EU to remove this ridiculous requirement.

Remember that only cookies (or similar) used for tracking are forbidden and require prior consent.

Functional cookies like shopping carts, logged-in user sessions, etc do not require disclosure nor consent.

Furthermore consent is only valid if it's opt-in (and not opt-out, so pre-ticked checkboxes are not compliant) and if it's just as easy to decline as to accept (so if it takes more clicks to say no than yes then they're in breach already).

Don't blame the EU for this, blame the website operators and their broken business models.

Except for the part where blogs, templates, the uninformed, and the webdevs trying to CYA add the popups anyways regardless of whether or not they are needed because why run the legal risk?

The way they are doing it doesn't actually comply with the law either, so the CYA aspect of it doesn't work as designed. Adding a popup doesn't do anything as far as the GDPR is concerned unless the popup allows you to decline tracking just as easily as it is to accept it (no pre-ticked boxes or anything).

I believe the problem here is wrong advice leftover from the previous "cookie law" (which I agree is completely stupid) being repeated endlessly (either honestly or maliciously from the adtech/spyware industry to try and make the GDPR look more annoying to the users). I sometimes even see this wrong "advice" here on HN on GDPR-related threads.

I just Googled for the top GDPR myths, and one of the first hits goes to a page purportedly listing just that, but I couldn't read it because...wait for it...the pop-up wouldn't go away unless I selected Accept Cookies. Yes, they do track users.

"CYA" == "Cover Your Ass"

That's right its the broken business models that have these companies running rich because we don't care about the banner anyway. The EU is the knight in shining armor that fixed it.

We should encourage websites to stop tracking us.

I don't care and I don't really see why anyone else does much either. It keeps websites free with no tangible downside. I resent Europe ruining the web with these consent banners. Websites are even forced to support "freeloaders" who don't consent which seems extra ridiculous to me.

No, there is nothing that prevents a website from forcing ads. It's just tracking that's not forcible. (Well, according to GDPR, that is.)

The 2 aren't mutually exclusive.

Seriously, I wonder if adding those cookie banner impacted tracking in any significant manner, because it definitely significantly impacted the usability of the web.

Actually, it only impacted the part of the web that is trying to track it's users. Things that didn't have cookies aren't impacted.

The only world in which your statement makes sense in one where user tracking is assumed to be acceptable and something that must be done. Neither of those things are true.

Not OP, but I completely agree with their statement that "it definitely significantly impacted the usability of the web."

As others have noted, a ton of sites seem to have just thrown the necessary JS on their site without actually seeing if they needed to, or if they did, if they could make minor changes that would remove the need.

From a usability/user experience perspective, now users have these popups displaying on some number of sites that they visit, often developed with the assumption that they will be accepted by the user.

Based upon some of the experiences I've had, I would say a number of teams neglect to properly test their sites as a user that has not accepted/dismissed the pop-up/overlay.

An argument could be made that cookie banners might somehow be normalizing tracking cookies too.

Through enough repetition the act of opening a new website and immediately clicking away the cookie popup becomes so automatic that people don't bother to read the disclosure, think about whether XYZ site should be tracking them, whether they want to consent or not, etc.

I myself am guilty of just clicking the damn thing without really thinking, and then I realize in horror that I opted-in by accident.

Serious question - why do people click on them? I simply ignore them and never say one way or the other whether I consent. It never causes me any problems, and I can honestly say that I never consented. Worst case there's 1-2 lines of text at the bottom of the window that have useless stuff in them instead of content. A minor annoyance compared to nav bars that randomly float in and out, email signups that popup after you've scrolled the first time, etc.

Remove cookies from the HTTP specification, and more importantly, browsers.

Replace it with a single "session token" value that you are allowed to set. Can only be created in response to a form post. No cross domain.

Make all the other web API stuff an smartphone-style opt in. "This app requires the following permissions: "Store private data in your browser. Only do this for site you trust as this can be used to track you." etc.

Maybe all the above can be made into an extension as a stop gap.

Ironically, cookies were GDPR-compliant when first created, and they envisioned the problems they're causing today. Hell, parts original cookie specs read very much like GDPR. It's just got corrupted over time by advertisers. Perhaps the best option today would really be to just rip them out entirely.

Do any reputable extensions modify the cookies randomly vs just deleting them?

I'd imagine a flood of junk data would increase the cost of tracking.

That is part of the ePrivacy Regulation (https://ec.europa.eu/digital-single-market/en/proposal-epriv...) which was supposed be implemented at the same time as the GDPR, but got stuck because of (so far) successful lobbying by advertising companies:

Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.

> The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers.

Browsers have provided this functionality for 10+ years. Why the law didn't target the user/browser level instead of the website level is beyond me.

The browser knows that the cookie exists, but it has no way of knowing how the server is going to use it, or what the cookie is actually for. A single cookie might even be simultaneously both, and force the user to accept cross-site tracking in order for the site to work correctly.

I guess there's complication zero-knowledge proofs that could solve this problem, but they're too slow right now.

>The browser knows that the cookie exists, but it has no way of knowing how the server is going to use it, or what the cookie is actually for.

There was a standard for that, too. https://en.wikipedia.org/wiki/P3P. There's no reason why something similar can't be implemented now.

Browsers don't have a way to block tracking cookies without collateral damage.

Wouldn't that defeat the purpose of having the choice to not allow sites to save a truckload of cookies on your computer?

If anything maybe we should encourage having a "master preference" set in the browser, something like DNT (but not so easily ignorable) that just tells all websites on the user's behalf to only allow the absolute minimum number of cookies needed for the site to function. A small message on the bottom of the page could give more details or allow manual changes.

What’s wrong with DNT? Just need some judge to determine that DNT means there is no consent given.

The problem is that ticking the DNT box will probably have absolutely no effect. At this point we can safely consider it dead. It barely ever saw any adoption, it was easily and "legally" ignored anyway, Apple dropped support for it more than one year ago, and even the W3C DNT working group was dissolved.

Now we have GDPR which is legally enforceable (officially) so we could use the technical implementation that can automate applying it.

The choice is programmatic. You can disable cookies on your browser. You can delete cookies you don't want. Done.

The thing is, this is not only about cookies, despite the cookies being the poster child for it.

The regulation applies also to all sorts of analytics, fingerprinting, behavior tracking, user tracking, etc., which is far more prevalent and problematic than simple cookies.

How do you "delete" that?

We can still establish that cookies are fine and outright fingerprinting/tracking is not, this isn't even that difficult because on a technical level cookies are the optimal option privacy-wise, in the sense that users have full control over what data is being stored, and to whom it is sent. The problem is that not everyone is aware of this choice and most browsers don't provide safe defaults.

Some web admins have no choice if their CMS sets cookies. Theres plenty of content management systems that do just this.

OctoberCMS for example sets a cookie for every user and there's no way of turning this off, and lots of WordPress plugins just don't care with no option to disable this behaviour .

So most banners are just a notification rather than a choice. e.g. Continue to use the site and you automatically opt in. Which is not the intended goal for the law.

> Some web admins have no choice...

Of course they do, or one of their superiors does. Computers are physical devices that do what their operators tell them to do; it’s entirely reasonable to hold the operator responsible for what the computer does at their request. That includes the overt behavior of any software they choose to run, and they always have the option to choose different software or, in the extreme case, unplug the server and discontinue service.

>Some web admins have no choice if their CMS sets cookies.

Then the solution is simple: Stop using those CMSes.

>So most banners are just a notification rather than a choice. e.g. Continue to use the site and you automatically opt in. Which is not the intended goal for the law.

That is breaking the law. Generally, people should not do that.

This is indeed a very positive and smart move. Despite the fact that - a lot of sites just don't really play along (they'll just show you a nag popup that you have to OK, but they'll plant their tracking cookies before that anyway) - a lot of sites deliberately make it hard to opt out (this ranges from having to click around in the consent manager to outright sending you to a 20 page PDF that tells you that you can disable cookies in your browser if you want to - this, BTW, is clearly not an acceptable solution according to GDPR), don't show you the content if you don't accept all their tracking cookies (this is also illegal) - some sites just make it a bit harder than it could be (you can see the very same consent boxes on other sites with a more user friendly 'opt out all' option) - some sites do 100% OK

But it turns out that 100% OK is still not good enough. This whole thing should really be managed either by the browsers or by an extension and the consent request should come in a standard, machine digestable way (XML, json, what not). You could then just set your preferences once, that should work for most sites and every now and then (but less and less frequently) you'd be asked about what to do with unknown cookies on unknown sites.

In short, just because part of the industry is trying to circumvent regulation and because the current implementation is not the most efficient, we should not give up on the whole idea.

Or just tweak the law. Remove informed consent as a legal basis for collecting data on web users.

There are probably some context where “informed consent” is a sensible legal basis for processing data. But no-one in their right mind would freely agree to all this tracking that those pop-ups are trying trick you into. So instead of trying to make “consent” easier to give, just assume that is wont be given.

I can think of two or three entities I interact with for whom I might enter such a consensual agreement with. Neither are “sites”, and the web is not the primary way I interact with them, so a browser would not be to tool to maintain those agreements.

Would that mean a complete ban? I don't think that would be great. There is a lot of value in collecting statistics for the sake of analyzing user behavior. I also see the value in targeted ads and I'd say that it would probably be beneficial for the user (but I always opt out, because it's not worth it for me). Semi-automatic consenting could solve this, I think. E.g. I'm happy to provide non-tracking usage statistics for most small startups and I'm OK with Amazon tracking what I'm looking at on their site so they can give me better recommendations.

But I might not know what exactly 'consensual agreement' as a legal expression means.

BTW, this is pretty much the same issue as with ToS's. Some sites will try to DoS you.

Consent is only required if there are no other valid reasons for the tracking.

Tracking required to provide a service for the user don’t require consent f.ex. So you could still get personalized ads from Amazon as service provided for you without needing explicit consent for the tracking as such.

Similarly “non-tracking” analytics don’t require consent either. If you by non-tracking mean more or less anonymous.

You only need consent to for processing PII that you don’t have a a legitimate interest to process.

> a lot of sites deliberately make it hard to opt out

Amusingly I've just followed a link on HN to The Economist [https://www.economist.com] - their popup offers a link to "manage your cookies" where you can untick huge numbers of them or click "Opt Out All". Great - did that, however on returning to the page found the popup still covers part of the page :-)

However, we must remember Hanlon's Razor.

EU doesn't require these BS popups. Both GDPR and the earlier "cookie directive" (the ePrivacy directive) only require user consent before setting cookies (or using other similar technologies, not only cookies) that have privacy implications (e.g. user tracking, advertising) - and then that consent can be also managed by other means, there is no requirement to have such a popup.

Normal cookies required for the functioning of the website - e.g. session tracking, user input, etc. are exempted and don't require user consent.

See for ex. here (the official cookie guidelines for EU institutions' websites): https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies

Don't blame these BS popups, interstitials, click-through wrappers etc. on Europe, that's purely site operators' laziness, legal CYA (force these wrappers even where not required) and greed where various analytics and tracking cookies (which do require consent) are being deployed.

The penalty for screwing it up is 20m euros or 4% turnover - why is it not surprising that devs play it safe? This is entirely the laws fault for driving this behaviour.

That is not correct. This is the penalty for wilfully screwing it up, and refusing to engage with the regulator when challenged. The most likely outcome of being reported is some advice from the regulator about how to comply.

> 'wilfully'

subjective and at the discretion of the accuser.

There's a saying somewhere:

Simple rules give rise to complex behaviour.

Complex rules give rise to simplistic behaviour.

So you think the law shouldn't make a difference between murder and accidents either?

Are you volunteering your site to be the test case?

If I had one, of course.

> This is the penalty for wilfully screwing it up

It isn't incidental that the penalty for being accused of willfully screwing it up is quite high: having to defend oneself against a 20 million dollar judgement.

By now it should be known that doesn't happen.

Says who? Even if it doesn't today, what authoritative source says it won't tomorrow?

You can't act surprised when people drive 55 in a 65mph zone because 'no one gets a 20 million dollar ticket for accidentally doing 5 over.'

It's simply how things work in countries that aren't failing like the USA. Your paranoia is unfounded.

Yup you are right, it is definitely every website with a cookie banner that's wrong. Can't possibly be the result of regulation which protects important things like privacy.

When the world disagrees with what you think should be happening the problem is not with the world but with your understanding of it.

"Eat shit! Millions of flies can't be wrong." I prefer critical thinking over appeals to the majority.

> Normal cookies required for the functioning of the website

If I happen to click a link on a news aggregator website like this one, then why would the website I visit (possibly for the first time) require my browser to accept cookies?

A technical answer might be that they want to implement a policy to grant you free access to one article per week, and than demand payment to access more than that, and a cookie is simple way to do that (yes, easy to circumvent, but that’s pretty uninteresting from a legal sense)

I don’t think GDPR demands “consent” for this though.

It works the same as the "cancer causing" law in CA. Because the penalty isn't worth the risk, it's almost universally considered better to include the warning even if you don't "think" you need it, because you could be wrong. And being wrong (especially when including the notice costs virtually nothing) is definitely a risky thing.

I absolutely blame the EU for this. The job of any political organisation isn't just to blindly regulate, but to predict the likely response of the regulated industry, including in a worst case scenario.

I worked in web dev when these regulations were introduced, and any idiot could see that most companies would take the laziest, safest route to complying with them, in a way that would put a massive burden of inconvenience on the user.

If the EU was competent, they wouldn't have needed warning about this outcome. But they were warned, again and again and again. They chose to ignore it and screwed over their constituents for nothing.

The majority of these are not compliant either way because they are either "opt-out" (with pre-ticked checkboxes) or make it difficult to not grant consent/withdraw consent (declining usually requires much more clicks than accepting).

What the EU did wrong is not the design of the law, it's the lack of enforcement. Enforcement of the law will fine anyone requesting consent in an annoying/obnoxious way and will clean up the current mess we're in.

Well yes, I agree. They should've banned tracking cookies outright, informed consent or not. Alas, they tried to leave space for honest businesses to play with - which is always a bad idea where it comes to the advertising industry.

They should just ban all ad tracking cookies outright and remove the cookie for good.

I can't believe this isn't handled by the browser. Make a standard API like the location or notification pop ups. Have a setting that says I understand what cookies are and I accept all.

The problem is you're expecting the developers and website owners to voluntarily opt-in to this browser standard.

It'll probably have about as much adoption as Do-Not-Track...

Well, in my ideal world a browser would ask for permission before placing a cookie at all. It shouldn't matter what the developers did, my browser would detect an attempted cookie placement, notify me, and ask to verify that that's okay.

So show a warning when it’s not detected like SSL.

Wouldn't that hurt simple websites which don't track by default?

The Cliqz browser used to have this feature built-in. It would ask you once in the beginning what your default choice would be regarding data collection practices (e.g. opt-out of everything or opt-in; most likely you would like to opt-out); then it would automatically apply your choice on each website (meaning that it would tick the right boxes for you) then hide the popup. It was a really cool feature IMO.

That would also necessitate an 'accept none' option, which no corporation wants.

FYI, the relevant European legislation says that ignoring the banner means exactly this—it’s all required to be voluntary opt-in, consent freely given. My impression is that >90% of cookie banners are utterly non-compliant, and thus a total waste of everyone’s time.

And I assume Google would refuse to implement it being that their business is tracking users through various means to serve them ads

Lynx does this.

I think most of those popups are intended for compliance with GDPR. A browser feature that eliminated the interaction might conflict with the intent of the statute.

I use vimium[1] to close most pop-ups by typing "f" and then hitting the letter that pops up next to the close button.

If that doesn't work, I use a bookmarklet called "Remove Sticky"[2]. I type "bre" and hit enter when sticky things pop up to get them gone.

[1]: https://chrome.google.com/webstore/detail/vimium/dbepggeogba...

[2]: https://news.ycombinator.com/item?id=23446504

That's actually a smart way of using vimium, thank you! I'm gonna set more bookmarklets for various tasks now.

I feel like something should have been implemented at browser level through HTML meta tags to display the cookie banner. This would allow websites to declare technical cookies that cannot be blocked and other cookies that can be blocked by the user. We could even have a standardized, native cookie banner in the same way as the permissions asked by the browser.

Any idea if there's a chance to get this one day?

They tried something similar with the do-not-track setting / header, but it was not backed by legislation so respecting it was purely optional, and a lot of companies opted to not respect it.

In theory that would've covered it, along with a setting on startup / a review notification every once in a while, but without the legislation backing it, it wasn't successful.

Can companies not also choose to not respect your choice on their popups? Seems like the rationale for preferring popups over this is not very sound to me.

That won't work because most people will want to just permanently block tracking cookies. You could legislate it, but it would effectively kill targeted advertising.

The dialogues are only necessary because the website owners want to send you tracking cookies. If they choose not to, there is no need for any kind of banner, native or otherwise.

Targeted advertisement can be killed. I never bought something based on such ads and I don't need to see the same products I bought yesterday repeated over and over again on many unrelated sites.

> That won't work because most people will want to just permanently block tracking cookies. You could legislate it, but it would effectively kill targeted advertising

So? The only difference between what I suggest and what we have is user friendliness. The law is already here.

Yeah, but technical obtuseness is intentional. First, to force users to click "accept all" and second to make users hate the law.

It could be more user friendly, but that is not desired political/economical result.

So Chrome isn't going to implement it for obvious reasons, Firefox (which is funded by Google) isn't going to implement it either. Maybe Safari? I'm not sure if Apple cares. Brave? Brendan Eich will probably get assassinated before this change is rolled out.

Sounds like the evil bit https://en.wikipedia.org/wiki/Evil_bit to me.

That's not the point. The law is there, we have to deal with it. But implementing it on browser side would just be a less awful way to implement it everywhere.

What if I want to block "technical cookies"?

At this point just block all the cookies with the browser setting.

You suggested browsers should implement unblockable "technical cookies" though, when you said "This would allow websites to declare technical cookies that cannot be blocked and other cookies that can be blocked by the user." Your own suggestion would stop me blocking them in the browser, unless "that cannot be blocked" means something other than what it sounds like.

Not the point, that's nitpicking.

The point is that cookie banners should be a browser component.

Then block them. Use uMatrix or one of the other plugins to do so.

Read the post I was responding to. thiht suggested "This would allow websites to declare technical cookies that cannot be blocked and other cookies that can be blocked by the user." He suggested browsers should be implement unblockable cookies. I was asking what happens if I want to block them...

I was suggesting blockable cookies in the context of this hypothetical cookie banner. It wouldn't prevent you from blocking all the cookies if you want, just not in this banner.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact