As for server-side fingerprinting, the browser, upon the user's choice, would send the allow/deny information to the website, which is forced by law to honor it (as it is today).
If a browser blocked all cookies until the user turned them on you'd have the choice of "no login" or "login works, but so does all the tracking".
Not saying the current state of affairs is good, it's awful.
That way, each cookie could describe itself as login, tracking, optional functionality etc.
You can then penalise on cookies that purposefully violate this, and allow the user to centrally opt in or out of each type.
I see you've covered that with penalising sites who mislabel. Who maintains this list? If it's the browser vendor remember which company owns the largest share in this market.
Otherwise have a way for the web site to trigger a browser-controled consent UI. This would be a one-shot thing and clicking "no" would trigger a spam signal. Too many of these and the web site loses its "ask for cookies" permission.
Cookies for anything not trusted have a lifetime of "until the tab is closed".
Don't be too rough on them. You should look for a viable and sustainable solution, not a radical GtFO doomed to end here.
> Cookies for anything not trusted have a lifetime of "until the tab is closed".
"until the tab is closed" policy isn't convenient even for the user. I tried it and reverted to "until the browser is closed" quickly.
Things like server-side fingerprinting must be enforced through legislation, e.g. it's against the law to track users if they've selected not to in the consent form.
There is zero need for standards, which won’t happen anyway because of the power Google has with Chrome.
The only protections we can have right now are client-side.
2) Pass a law making it illegal for a company with business in the EU to not honor a Do-Not-Track header, with a transition period of several years.
Step 1 is technically very easy. Step 2 is legislative.
1. When the user starts the browser for the first time, ask if they want to allow tracking cookies on all websites.
2. When the user visits a website, pass that tracking answer as true or false. Firefox and Chrome have buttons beside the URL already for 'Site Settings'. Allow users to override their global tracking setting with a per site settings there.
This would be infinitely better than the mess we have now, where every website gives us a pop-up with an intentionally confusing interface. Why can't I say 'No' to tracking once? Why do I need to do it countless times a day, each time navigating a new and confusing interface?
Would it be legal/ethical to allow automated pre-commitment to all terms and conditions that nefarious sites may choose to scatter around their pages, many of which won't have been written until after the user had ticked this "agree to everything" box?
> every website gives us a pop-up with an intentionally confusing interface
Any site doing this is breaking the law. Report them please.
> Why can't I say 'No' to tracking once?
Because sites which track you don't want it. After all, they're the ones who invented "cookie banners"; and they could choose to get rid of them by just, you know, not tracking people. Yet they don't.
To who? What do I say? The issue with GDPR is that it's for all intents and purposes unpoliced and unpoliceable unless you happen to have sway with a local regulatory body.
I live in the UK, and ICO are toothless. Ive filed multiple complaints - inability to opt out, misuse of PII for advertising purposes, and each time have received a cookie cutter response telling me to report it to the company and respond to ICO if it's not to my satisfaction. That was the last I heard of every complaint, despite me following up.
Isn't everyone 'agreeing to everything' outside of the GDPR when they visit sites now, without the option of saying 'no'? Isn't everyone covered by GDPR being tricked into 'agreeing to everything' at the moment? Giving users the ability to disable the tracking aspect across all sites with one simple setting seems like a plus here.
> Any site doing this is breaking the law. Report them please.
Has any action been taken against a site for making their opt-out option more complicated than their opt-in option? Why try to regulate how millions of sites prompt users for consent instead of a few browsers?
> Because sites which track you don't want it. After all, they're the ones who invented "cookie banners"; and they could choose to get rid of them by just, you know, not tracking people. Yet they don't.
They didn't invent cookie banners, they added them because they were required by law. The same law could remove cookie banners and require the sites to respect a browser cookie.
If there's no option to refuse consent, then it's not compliant with GDPR. In countries which implement GDPR (mostly EU countries, but I'm the UK and our law implements GDPR but we're no longer an EU member) those sites are breaking the law (that country's implementation of GDPR).
If you're talking about those in countries which don't implement GDPR (or equivalent), then yes; those people are generally not protected by EU law.
> Giving users the ability to disable the tracking aspect across all sites with one simple setting seems like a plus here.
I agree. Again, good luck getting surveillance companies to pay any attention, or prevent them implementing technically-legal workarounds: "Just a moment! We see you've opted out of our advanced partner network. You may be missing out on the latest tailored brand recommendations! Click here to opt back in."
> Has any action been taken against a site for making their opt-out option more complicated than their opt-in option?
Not as far as I'm aware (and I can't see any on https://www.enforcementtracker.com )
> Why try to regulate how millions of sites prompt users for consent instead of a few browsers?
1) Browsers aren't surveillance companies (OK, not all browsers are; e.g. I'm pretty sure lynx isn't meant to be spying on me).
2) GDPR is bigger than any particular technology. It seems reasonable to make some regulation like "The public considers your business model to be exploitative; from now on this requires explicit consent." It seems less reasonable make a regulation like "The technology/product/process/service you provide could potentially be used by others in these specific ways that the public does not favour; you must provide this specific mechanism/option/etc. in case it does get used for that purpose". It's not necessarily a bad idea, but it would be a pretty big ask. Even looking at the current situation, how would this handle apps? What about tracking pixels? What about scanning nearby WiFi network IDs? What about research or hobbyist operating systems? etc.
> They didn't invent cookie banners, they added them because they were required by law.
The intent of the law was to reduce the prevalence of surveillance-based business models. They've always had the option to stop. That would be the preferred option, for those who wrote GDPR, for members of the public who don't want to be tracked, for members of the public annoyed by popups, etc. They chose banners and, to a lesser extent, to gaslight the victims of their surveillance into thinking that GDPR required all these sites chose to break their own UX.
> The same law could remove cookie banners and require the sites to respect a browser cookie.
Again, it would be nice, but I imagine there would be an industry established overnight to provide opt-back-in banners, under whatever guise they can get away with.
I 1000% agree. And usability is not the only reason. I would also name the obvious responsibility delegation/abstraction principle and the original semantic concept of a web site: 1. the functionality every website is meant to have should be implemented at the browser level 2. no website (those using tracking elements included) should be required to have interactive elements (like the consent button) or off-topic texts (like the cookie notification).
We had this ( https://en.wikipedia.org/wiki/P3P ). It didn't catch on.
> It makes no sense that blocking cookies should be done via inconststent and dubious interfaces implemented by the websites themselves.
It also makes no sense that authentication should be done via inconsistent and dubious interfaces implemented by the websites themselves. Browsers have offered login prompts for years, yet they're usually avoided. Some sites hijack scrollbars, so it's not particularly surprising.
From the legal side:
On the other hand, users don't want to be tracked and surveilled. Hence anyone collecting personal data for those reasons cannot assume implicit consent. The choice is simple: either stop doing it, or ask for explicit consent. If you're seeing obnoxious "cookie banners", it's because the operators of those sites would rather mess up their UX with annoying crap, rather than entertain the idea of not being a creepy stalker.
From a pragmatic point of view, making it easier (or even automatic!) for users to give up their rights, in a blanket way to anyone who asks them to, just so unscrupulous corporations don't have to experience negative repercussions of their user-hostile decisions, would seem to defeat the whole point of GDPR.
If you don't want to see "cookie banners", ask the site operators to stop being creeps; that way, they wouldn't need to ask.
The way to know if someone gave consent if by looking at the cookie.
Unless you mean that consent must be stored as a cookie because the law says so. If that's the case my comment doesn't apply, but I'm not sure whether that is what you mean.
That's effectively what there should be, right next to the "accept" button, and after a plain, simple piece of text that says "We would like to share your data with advertisers and trackers, because we get paid for that, can we have your permission?"
There shouldn't even be any cookie-flushing necessary, the kind of functional cookie that effectively says "do not track" is allowed without notification or consent. That should be enough to stop the harassment.
It never is though.
Explicit consent is only required when the user's personal data will be used for purposes other than implementing the functionality the user wants to use. In other words, spying.
If you see a "cookie banner", it's because the site you're visiting wants to act against your interests, and GDPR made that illegal by default. Ask the site to stop acting maliciously, and then they won't need a banner.
Why didn't GDPR make it illegal in general then, if it is such a no-brainer?
It would also be an incredibly restrictive thing to do. Consider copyright laws as an analogy: they are "all rights reserved", making it illegal to copy, distribute, perform, etc. a copyrighted work by default. That is very different to an outright ban on copying, distributing, performing, etc. a copyrighted work (it would be illegal to show movies in theaters, or to publish books!).
Interestingly, GDPR doesn't allow incentives to be given in exchange for consent. People can incentive publishers to distribute copies of copyrighted books, by providing money (i.e. buying the books). Surveillance networks cannot pay users to give up their personal data. This is a nice asymmetry of GDPR, in the public's favour.
I have this automated with Firefox + the Temporary Containers addon. Every new tab is a new, disposable container, which gets deleted some time after I close the tab.
Most people, if asked would just block all ads on TV, radio, print, and web.
But then prices for products themselves would skyrocket. There wouldn't be any free webapps, etc.
For example, Facebook would have to charge money.
It might make the world a better place. Might not.
If I were forced to be though I suspect it would be a good thing
Facebook netted $18 billion in 2019, there’s a long ways to go before they aren’t making money.
Sure there would. The pattern would be "pay for more features", the free version being more of a limited demo.
This used to be a common pattern among Android apps, even without ads on the free version in the early days.
edit: uallo points out below that this is the specification. I didn't realize because none of the browsers implement it.
Yes, that is exactly how it was specified:
I think if DNT was per Domain, advertisers would let your browser make a bunch of requests to different domains and check for which you have DNT set, which should give a fairly unique fingerprint...
The point of the law changes is that it becomes the website's responsibility to act properly, and ensure real opt-in.
If DNT was default off and was respected, most people would have never heard of it to switch it on. That's the only reason the ad industry even comment on it - it was designed to do nothing.
Yet they still don't. They just manipulate the user into clicking yes without reading, again. I couldn't even find how to deny "the Oath" no matter how hard I tried.
Hopefully sometime it will be prosecuted. Until then treat as a big red flag.
It's in Firefox under Preferences -> Privacy and Security -> bottom of Enhanced Tracking Protection. Or just search for "do not track".
Privacy Badger has a separate setting (enabled by default) if you have that addon installed, and the header is sent if it's enabled in either place.
I know about these because I had a hell of a time at work adding Mixpanel to something. They respect this header. Unfortunately, I think it also means we underestimate the number of Firefox users we have.
Could also use private/incognito windows for new domains. That's what I do.
Only malicious activity like surveillance requires explicit consent (e.g. via a banner).
What these boxes should say is "Please can we track you and sell your data to third party advertising services?"
Because that's what's really happening here, they're begging for your permission, but dressing it up like it's some sort of technical decision about cookies and trusted partners.
Also it's not that I'm consenting to being tracked I just don't care whether they set cookies as I will delete them automatically anyway. That's very different from telling them to go ahead and figure out my identity.
1. Sharing them with Google, trough GA
2. Sharing PII. I have zero faith in big commercial sites. They'll likely try their hardest to fingerprint me, and track my every move across the web.
You have to draw a line somewhere. And since most HW info can be used for fingerprinting, I don't feel like sharing it with unknown websites.
I've looked for it, but couldn't find a screenshot of the old internet explorer prompt, that, by default, used to ask you every time a website wanted to drop some cookie on your computer. Why did we move away from it? Are we going back there? What is different now?
I have a blog post I'm thinking about writing about this due to launching my last app.
It's basically impossible to make everyone happy so much so that it's a bit of an absurdism.
There are people that don't want to be tracked, then there are people that don't want to be tracked by a specific company because they are doing a boycott.
Let me insist that I am okay with statistics, but against tracking. GA is tracking. I do opt-in into statistics in software like Mozilla Firefox, etc. I just don't want to be tracked. I'm fine with giving away some information about myself so that websites know my 1680x1050 resolution is still being used, or that someone still uses Firefox, or on which page I landed, if I visited a few more pages. But nobody needs to know exactly what websites I visited today, where I ate, when I woke up, etc. It's my business and only mine. Would you be interested in such data about me? If not, why would you help Google achieve that very goal?
Other trackers (twitter, facebook, most other social networks, analytics companies and advertiser networks) are just the same to me. But maybe some people boycott Google specifically.
And then suddenly, on the 16th website they put a fucking "Buy our thing" button in a bottom bar that you quickly click on without even thinking twice.
TLDR: The market always wins, just download an adblocker.
Great job guys
But it strikes me that this is almost entirely a client-side problem. If a server wants to give me a cookie or put something in local storage, or serve me URLs with a tracking parameter in the url, so be it -- there's no privacy violation unless they can ask another website if they know who I am, and blocking third party cookies stops that.
Fingerprinting is not solved by clearing your cookies. The GDPR is not about cookies but about data retention and processing using cookies or not.
Accepting to be tracked allows the website to store legally your personal data and probably use fingerprinting to follow you around.
Even the BBC do shenanigans wrt cookies, they don't have a reject button. You have to navigate to a settings page, the page shows all non-essential settings as off, then you navigate back. So, you'd think that non-essential cookies are off by default, but if course they're not; AFAICT if you don't visit the page on which you do nothing then it turns the cookies on ... so you don't need to turn then off, but if you don't not-turn-them-off then they're silently enabled.
Properly compliant sites have "no/reject" buttons and still show all content after you press it.
Via email, yes.
There is also an online dispute resolution center: https://ec.europa.eu/consumers/odr/
This allows you to complain about a European company if you deal with it from another EU country.
GDPR is actually quite clear and logical on the notion of consent. Implicit consent is implied for anything essential for a service, everything else has to be opt-in.
Maybe "manipulation patterns" would be a better informative term.
It gives you two options: 1) consent to tracking and data collection, with a vague promise that you can withraw your consent later; 2) become a paying subscriber.
GDPR says that "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract". Shouldn't that mean that forcing consent in order to allow someone to read an article is not consent freely given?
Basically anything that makes you want to just rage close it is illegal.
The trick noone seems to understand is that this is not about getting your consent.
It is about making things that cannot get your consent in "good" ways illegal. Anything that needs to be big and visible means that they are doing things that are too much for informed consent to be given.