Hacker News new | past | comments | ask | show | jobs | submit login
No Cookie for You (github.blog)
2941 points by todsacerdoti on Dec 17, 2020 | hide | past | favorite | 609 comments



This is fantastic. Thank you, GitHub.

I hope this is a good demonstration of a hands-off approach at Microsoft in regard to company culture.

I realize you likely still collect some analytics for yourself and that this change does nothing to alleviate that. EG, first party javascript. But it's great that it's divorced from 3rd parties.

Presumably Microsoft has access to those metrics, though? I wonder how deeply that gets parsed in conjunction with everything else they collect.

If only you could export some of that culture back to your corporate overlord. I'd love if MS Teams stopped exploding it's RAM usage until it eventually has to be killed if it's unable to get an OK response from its analytics endpoint.

And I'd love to turn off analytics in Windows altogether. Even getting to the minimal analytic configuration is an exercise in futility spread out across a million different settings, some of which decide to reset themselves in obfuscated ways sometimes. eg, some think updates reset them, either directly or by doing things like changing default programs to ones which require analytics (eg Office). Or a change to one setting requires additional changes elsewhere to be effective.


GitHub still sends the same personal data to their own analytics endpoint, and the privacy policy which lists third-party data subprocessors [1] has not been updated.

See my comment below for details: https://news.ycombinator.com/item?id=25458635

Tracking cookies have little value for GitHub when they can collect data about users that have already been authenticated, and they send the username and user ID as part of their tracking request.

Inspect the request sent to collector.githubapp.com on every page load to see the type of personal data that is being collected on the client-side.

We have no visibility into how they associate this data with analytics data collected on the server-side, and that's where an updated privacy policy would also help.

[1] https://docs.github.com/en/free-pro-team@latest/github/site-...


A GitHub spokesperson has issued this statement [1] about a request to api.github.com: "That endpoint tracks aggregate performance metrics, and does not rely on cookies or other unique identifiers".

GitHub is still sending our usernames and other unique IDs, our device data, and the pages we visit to the collector.githubapp.com endpoint.

GitHub's claims about not tracking users are false, they do identify users in tracking requests. See this tracking URL, it's full of unique identifiers and personal data, and it is currently sent after every page load, without user consent:

  https://collector.githubapp.com/github/page_view?dimensions[page]=https://github.com/&dimensions[title]
  =GitHub&dimensions[referrer]=https://github.com/sessions/two-factor&dimensions[user_agent]=Mozilla/5.0 
  (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0&dimensions[screen_resolution]=1000x518&dimensions[pixel_ratio]
  =1&dimensions[browser_resolution]=1000x518&dimensions[tz_seconds]=0&dimensions[timestamp]
  =1608247177900&dimensions[referrer]=https://github.com/sessions/two-factor&dimensions[request_id]=
  9CF8:4938:4516EA:5FD134:5FDBE77E&dimensions[visitor_id]=6475638196559144773&
  dimensions[region_edge]=fra&dimensions[region_render]=iad&&measures[performance_timing]=
  1---600-600-600-400-400-----600-0----1608247177200--1608247176900--1608247176900--400- 
  400&&dimensions[actor_id]=47727044&dimensions[actor_login]=dessantbot&dimensions[actor_hash]=
  a274a9ae03a3b361483e273a53aba70534c609670c058fe667d8bce4d6f33bad&dimensions[cid]=1507727009.1608247109
[1] https://www.theregister.com/2020/12/17/github_will_no_longer...


this isn't about tracking users, it's about cookies. no cookies doesn't mean no tracking. it's just a workaround to improve UX. "visiting our website does not send any information to third-party analytics services" - but presumably third parties are still able to access this data on request. their privacy policy probably reflects this. if you visit a website and don't want to be tracked, make it as hard as possible for the host to do so, don't rely on what the host says. they can do anything they like with visitors' data. anyone who hosts websites will confirm this


Don't confuse "we don't set cookies" with "we don't set non-essential cookies".

They say no "non-essential" cookies, but an anonymous user just landing on the homepage gets a cookie with some unique-looking tokens.

I've seen many companies just hire the right lawyers that would sign off on all sorts of tracking cookies as "yeah, this is essential, since we can't track users without it, and tracking users is essential to our business model".


> this isn't about tracking users, it's about cookies. no cookies doesn't mean no tracking. it's just a workaround to improve UX.

Except the GDPR and cookie directive, obviously, undeniably, unmistakably, weren't intended to give websites a "bad UX" obstacle to work around.

It's not even about cookies. It's about letting users AGREE to being tracked and then track them, OR (with the same amount of effort and without denying them service vs tracked people) DISAGREE and then not track them.

If they're still tracking me and keeping data about me that they can match to the PI that is my github account, then this "no cookie" thing is just more "letter of the law" bullshit.

I think it's pretty damn clear to Github and MS what the intention of these EU laws are. They can't just say "oh it's worded in a way that gives us wiggle room, so fuck your intentions". Well they can but they'll find out whose faces they told "fuck your intentions" to.

We're trying to protect consumers from tracking bullshit, here. Not throwing up obstacles for large corporations to work around.


> no cookies doesn't mean no tracking

It does though make tracking by third parties so they can sell things to me (or sell information about me to other parties for that use) more difficult. Not impossible though, of course.


Yes, they can do anything with the user's data, if the user has consented, or if they are willing to break the law.

The tracking request you see above requires informed consent under GDPR, and GitHub does not ask for consent before collecting browsing and device data that is tied to GitHub usernames.


consent is simple to gain, who reads the entire ToS and privacy policy?

the law is simple to break and appear as if you're not. they're a big company and will have this covered if needed

the bottom line is, do you place more trust in your local lawmakers and the website you are visiting than you do in yourself


> consent is simple to gain, who reads the entire ToS and privacy policy?

That's not how informed consent works, you can't just mention the collection of personal data in a privacy policy. Consent must be explicitly requested for this type of tracking, and you must be able to reject it, and continue using the service.

> the bottom line is, do you place more trust in your local lawmakers and the website you are visiting than you do in yourself

The request can be blocked with uBlock Origin, but it's still important to draw attention to tracking that may be illegal, since not everyone has a content blocker installed.


if you agree to terms which request consent, you are giving consent. how they are displayed to you and whether or not they are explicit enough or too hidden is subjective

you'll need a stronger arsenal than a content blocker to avoid modern fingerprinting, legal or otherwise


Mentioning user tracking in a TOS or privacy policy that is mandatory to accept in order to use the service is no longer legal.

This article may help you understand what consent means under GDPR: https://www.privacypolicies.com/blog/gdpr-consent-examples/#...


To add to this:

from my understanding of the rules even a lot of the informed consent popups today aren't compliant.

If I understand it correctly (and I think I am) the standard is that it should be equally easy to op out as to opt in, and the default should be opt out.

IMO this means I should just be able to dismiss any GDPR compliant box and the result should be no tracking.


Correct. Also, you cannot with hold access upon users not consenting, so there's literally zero incentive for users to ever consent for compliant providers. Which is kinda obvious with the GDPR's overall goal of making it impossible to use privacy as currency.


GDPR has lots of issues and this is one of the major ones. It can be easily argued that companies cannot be forced to service users and there has been no real precedent or enforcement around this.


A company cannot be forced to service users. It can also decide to stop operating entirely, and die. A company can be forced to not use particular criteria to decide to service specific users, an idea with a long history - a common example is skin color.


This has nothing to do with immutable physical characteristics and such comparisons only highlight how silly the argument is.

Consent is a voluntary action. Usage itself is a form of consent. However a user disagreeing with what the company requires to provide that service but still being entitled to and actively using that service is not workable. User can decide to stop using a service entirely though, if they don't agree with the requirements.


You aren't forced to service users. You just cannot make consent the currency for your service. Either don't require consent or don't operate in the EU.


> "don't require consent "

That's meaningless. Usage is already a form of consent. The discrepancy is between the user and the company in what is consented. Forcing the company to provide service to the user even if the user disagrees with an upfront description of what the company requires to provide that service is a completely valid objection.

Also GDPR applies to any organization providing to citizens of the EU, not companies operating there, but that's yet another example of poor design which results in GDPR having little enforcement.


it will appear legal if it is worded correctly, just the right side of ambiguity, proofread by a dozen lawyers and backed by a multi-million dollar body

also, to contradict your own tangential claim (from your non-authoritative link): "You _should_ ask for consent where you are offering a genuine choice over a non-essential service. Typical examples include:

-Using tracking/advertising cookies"

this document may help you understand the difference between should and must: https://www.ietf.org/rfc/rfc2119.txt


Did you seriously just link an IETF document as the basis for an argument about the law? Never mind the difference between "should" and "must", do you understand the difference between an RFC and the law?

And there is no room for ambiguity in the actual law:

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%...

> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.


> Did you seriously just link an IETF document as the basis for an argument about the law?

of course not, it was an example to demonstrate the difference and easier to include one link for both definitions than e.g. two for each from a dictionary

> Never mind the difference between "should" and "must"

given the context I believe the difference is of paramount importance

> do you understand the difference between an RFC and the law?

slightly reworded first question but yes, I do, thanks

> And there is no room for ambiguity in the actual law: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%...

that seems a good example for a better source which actually bolsters my point on bad sources, but alas, it's irrelevant. note that it refers to personal data and not (third time lucky) the original argument concerning tracking consent. in fact, I cannot even find any personal data in the OP's URL, probably because no personal data is required to create a GitHub account. let's just ignore that one for now


Terminology in guidelines for following a new law != terminology in technical documents.

Not being able to get implicit consent by hiding some terms in a long legal document is the entire fucking point of the GDPR.


as above


> consent is simple to gain, who reads the entire ToS and privacy policy?

nobody because they are pretty much meaningless in the EU

we got laws to protect consumers, not laws for businesses to trick users into making some meaningless gesture

> the bottom line is, do you place more trust in your local lawmakers and the website you are visiting than you do in yourself

what do you mean by "local lawmakers"? these laws are EU-wide. or did you mean "local" to mean, "non-US"

anyway, these lawmakers are fighting the shitty corporations that pull this tracking stuff

and your bottom line is not really a choice one way or the other. I can use blockers and other plugins to protect myself, AND cheer on the people fighting the fuckfaces that think it's in any way honourable to make a profit by merely following the letter of our laws

but we got some really good consumer protections in the EU. and we try to keep it that way. we're not going to simply roll over because some US corporations are used to being able to track the hell out of US customers


You're talking about GitHub monitoring what signed-in GitHub users do on the GitHub website, right?


I had to put some newlines in that monstrous link because it was breaking the page layout (sorry; it's our bug).


What is the real value in a privacy policy? I assumed they were similar to EULAs - totally unenforceable. Are there actually any legal repercussions if they lie in their privacy policy? Or is it just ill will that might be accrued (and probably quickly forgotten) if they are found out to have violated their own privacy policy?


It sounds like you have misunderstood the purpose of a privacy policy. It is very rare that I encounter one that is designed to protect the user's privacy. Far more often, it's there to protect the company. "I have read and agree to the privacy policy," is a coded way of saying, "I have read and agree to waive my claims to privacy, as outlined in the privacy policy."


>Far more often, it's there to protect the company.

That's pretty much true. And why shouldn't a group try to limit their liability?

>"I have read and agree to the privacy policy," is a coded way of saying, "I have read and agree to waive my claims to privacy, as outlined in the privacy policy."

That's often, but not always true. For example, here's a [sanitized] privacy policy I wrote for a website I set up for a specific (noncommercial) purpose:

"[Site] Privacy Policy

No personal information^ will be stored on the https://www.[site] web server (except as specifically authorized), and every effort will be made to protect the integrity and privacy of such information.

[Site], its management or assignees will never sell personal information collected on this site, nor will they use such information for purposes other than specifically related to the operation of the [Site] website and/or to facilitate the dissemination of information regarding [purpose of site] and other group activities related to [potential users] and other [user purpose] related group activities.

Under no circumstances will street address or telephone number information be stored on the www.[site] by [Site], its management or assignees.

[Site], its management and assignees will never, under any circumstances reveal email addresses, street addresses and/or telephone numbers to anyone without explicit authorization. From time to time, [site] may offer services to allow [potential users] to contact each other. For these services, [Site], its management and assignees makes no warrantee of fitness for any purpose, including maintaining the privacy of users' personal information.

All personal information will be held in confidence and will only used for the purposes of the [potential users] [purpose of site] and official [membership organization] business.

This business includes (but is not limited to) providing personal information for inclusion (by the [membership organization]) in a printed work to be published at a later date. If this published work is then used for illegal and/or nuisance purposes, [Site], its management and assignees disavow any responsibility or liability for the use of that information by third parties for any purpose.

If a subscriber (limited to members of the [potential users]) chooses to share their personal information with other subscribers via any mechanism made available through the [Site] web site, mailing list or other conveyance provided by [Site], its management and assignees disavow any responsibility or liability for the use of that information by third parties for any purpose.

Under no circumstances will [Site], its management or assignees be liable or otherwise legally responsible for the theft, misuse or other unauthorized use of personal information.

Any person or entity registering on, providing contact information, or subscribing to the [Site] web site explicitly agrees to all the terms of this privacy policy.

This policy applies to the www.[Site] web site and the [Purpose of site]@[Site] mailing list.

If any portion of this policy is found, by any competent jurisdiction, to be invalid or unlawful, the remainder of this policy will continue to be in force.

The terms of this policy may be modified at any time at the discretion of [Site]. It is the responsibility of the subscriber to review the terms of this policy on a regular basis. Current versions of this policy can be found at https://www.[site]/privacy.html.

^Personal Information: Data such as street address, email address and telephone number which would enable direct contact with the subject of that information."

It does two specific things:

1. Informs users how their PII will (and will not) be used;

2. Clarifies the liability of those who own/run the site.

Unlike most "privacy" policies, there's nothing underhanded or privacy invading/data stealing involved.

I wish more privacy policies were like that.


> And why shouldn't a group try to limit their liability?

When it's unethical to do so :)

... unrelated to your privacy policy btw, which I think is pretty good.


Violation of privacy policies alone does not give rise to a cause of action. However such violations could be useful as evidence in the context of suing on some other basis. Of course, there is no satisfactory basis to sue tech companies for violations of privacy. That is why privacy is being decimated by tech companies. There are no adequate laws to protect it. Privacy policies seem to be an effective way to placate the public. Users seem to take tech companies on their word.


GDPR should have given some legal teeth to privacy policies.


I haven't seen a lot of repercussions, if any actually. I would've figured something big would've happened right now with the antics that are up, but here we are - necessary to download an _opt-out_ extension for Google Analytics. This couldn't be a more blatant disregard for the EU laws than I could imagine. And at the same time here in the Netherlands we have the party responsible for enforing laws handing out one, almost disproportionally large fine, to a small organisation each year. Like a 800k fine to a tennis unity because they were too aggressive in their data grievance, while all the big guys are still going at it and then some. Sorry for the rant but it's hard to stay optimistic, so seeing something like Github making a good move in the right direction, and seeing the post of plausible.io on the front page, this seems like a good day on the front of privacy.


> Tracking cookies have little value for GitHub when they can collect data about users that have already been authenticated

This is true to every advertiser or data seller, Including obvious ones like Google, FB, Amazon... and less obvious ones like your ISP, Apple, etc.

The industry call it persistent ID (as opposed to cookie, which are transient ID): https://digiday.com/marketing/wtf-persistent-id/ (random result, i do not endorse it)

The trick is: the publisher/intermediary have even more information about you, but they call you User-A instead of your name, so they can sell your history, zip, DNA, etc... just pretend not labeling the data with your name or some other personal identifiable information already listed in a Law somewhere makes everything fine.


History, ZIP and DNA already are personally identifiable information (PII). Pseudonymisation is in general not enough to avoid the GDPR and similar laws. And pseudonymisation would require the removal or obfuscation of all PII to the point that it is impossible to reconstruct the identity of the user.

There's no specific list of information regarded as PII, it's PII if it can be used to identify the user, even if only in combination of the other PII.

The GDPR is really quite broad there, other laws may be more lenient. However, the GDPR is not yet very strictly enforced or tested in court.


> Pseudonymisation is in general not enough to avoid the GDPR and similar laws.

fortunately, "undermining the spirit of the law in order to continue to make a profit" is generally frowned upon in the EU, and lawmakers don't take too kindly to it. sometimes I get the feeling that in the US it's almost acceptable to publicly brag about doing this, like it's even more "socially" acceptable.


> GitHub still sends the same personal data to their own analytics endpoint

I see nothing wrong with that. Analysing your users on your own site is no problem for me. I should know what users do on my property.

What's the problem you have with that?


It's not GDPR compliant without consent. It doesn't matter whether you are using cookies or something else.


Why is it not GDPR compliant. You do not need consent under the GDPR. You need a (documented) "lawful basis for processing" personal information. Consent is just one of several lawful bases and honestly it's the most useless one, if you need consent your business model is screwed.

It's perfectly possible for GitHub to process personal information without explicit consent while not violating the GDPR. Several options come to mind:

1) consider analytics part of the "contract legal" basis, arguing that analytics to improve the usability of the website is a fundamental part of running a website.

2) The "legitimate interest" lawful basis, which states:

> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Arguing that improving the accessibility/usability is in the legitimate interest of both company and user.

I'm fairly confident that, depending on which and what detail of personal information, both of these justifications will be accepted by EU courts.


> I'm fairly confident that, depending on which and what detail of personal information, both of these justifications will be accepted by EU courts.

I believe they must also show that they don't store this data strictly longer than necessary.

Which, in the case of analytics/usability would mean aggregating (and thus depersonalising) the data almost immediately.

And if they do that, it will indeed be fine. Both with the letter, as the spirit of the law.


That's a good point. Microsoft has been much less heavy handed than I expected. But your point about how the data is used, I am very curious too. I wonder if they'd be willing to make the privacy policy readable?..


Microsoft would like for you to adopt an image of GitHub as an upright corporate endeavor - but remember they blocks/censor developers from world states that the US doesn't like.


Microsoft/GitHub as businesses incorporated in the United States are bound by the law of the United States. I am not sure of what you are insinuating here.


Oh, great, they have an excuse.

Just like they have an excuse for allowing the NSA direct access to all of your data, right?


Yes, I don't understand this weird movement where businesses are expected to go against the government.

You disagree with your own government that's perfectly fine, and for the record I agree with you on the issues themselves, but if you want embargoes against Iran to be lifted or for the NSA to stop hoarding Americans' data you have to do the boring work of convincing the people to vote for people who share those ideas.

Real change will not come from corporations, it simply cannot because their mission if profitability, they support movements if there is no financial risk to do so.


Good job, can more companies follow the lead now? Btw when I see that banner - I always reject the option and still have not experienced any bad experience from website.


If you don’t have to actually make money though, there isn’t really a point to the analytics third parties enable - eliminating bots and click fraud. Microsoft managers are incentivized to not identify bot or noise traffic, since their performance metrics do not separate those.


It is harder than that. I would for example like to use google maps api - but I cant.


> I hope this is a good demonstration of a hands-off approach at Microsoft in regard to company culture.

I might 1‰ buy that if they restored the Widevine repos they snuck down for Google under cover of the controversy caused by complying with the MS-funded RIAA’s quasi-legal youtube-dl takedown request.


(GitHub CEO)

Hi everyone, thanks for all the enthusiasm about this change. We are happy to have removed cookie banners from GitHub, and not to participate in third-party tracking of user behavior.

Our privacy policies and subprocessor list will be updated next week following our customary 30 day user notice period. We do this in the open in a pull request, so you can see the changes now:

https://github.com/github/site-policy/pull/336


> We are happy to have removed cookie banners from GitHub

I'm a regular visitor to GitHub from the EU, most of the time not logged in and in private browsing mode, so I usually appear like a completely new entity that hasn't consented to anything. I only started noticing cookie banners on GitHub in the last month or two.

So... in the past, did you not have cookie banners because you didn't have tracking cookies until recently, and all this is a big publicity stunt? Or were you breaking the law up until a month or two ago by having tracking cookies but not asking for my consent?


Hi! Please also look into the collector.githubapp.com analytics endpoint, the request does not seem to be compatible with GDPR in its current form. Either unique IDs tied to the user will have to be removed, or express consent will have to be requested.

https://news.ycombinator.com/item?id=25461825


This is just not true. See my comment elsewhere in this thread:

Why is it not GDPR compliant. You do not need consent under the GDPR. You need a (documented) "lawful basis for processing" personal information. Consent is just one of several lawful bases and honestly it's the most useless one, if you need consent your business model is screwed. It's perfectly possible for GitHub to process personal information without explicit consent while not violating the GDPR. Several options come to mind:

1) consider analytics part of the "contract legal" basis, arguing that analytics to improve the usability of the website is a fundamental part of running a website.

2) The "legitimate interest" lawful basis, which states:

> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Arguing that improving the accessibility/usability is in the legitimate interest of both company and user.

I'm fairly confident that, depending on which and what detail of personal information, both of these justifications will be accepted by EU courts.


1) consider analytics part of the "contract legal" basis, arguing that analytics to improve the usability of the website is a fundamental part of running a website.

Sure, you can argue that, but it has no merit.

The only reason that you can write that sentence with a straight face is due to the current affairs of the web. You know the thing that GDPR tries to rectify.

And analytics do not need personally identifiable information.

Try the three-part test suggested here: https://ico.org.uk/for-organisations/guide-to-data-protectio...

Purpose test: You can argue it has legitimate interest. And with a big enough loop-hole it might even pass despite it having no merit.

Necessity test: Absolutely not.

Balancing test: No chance.


This should be pinned :)


Kudos! This a wonderful step. Hope more companies follow suit!


Until now GitHub has sent client-side requests to Google Analytics with a client ID that was also sent in a second client-side request to an in-house analytics API at GitHub for augmenting and cross-referencing user data.

The client-side Google Analytics request no longer appears to be sent, but a request containing personal data is still sent to collector.githubapp.com.

The privacy policy page which lists third party data subprocessors and cookies used on GitHub [1] seems to be outdated. Does the announced change also mean that Google Analytics and other subprocessors have been eliminated, or has some of the tracking merely moved server-side?

[1] https://docs.github.com/en/free-pro-team@latest/github/site-...


Came here to say this. Eliminating Google analytics is unequivocally a good thing. A strong B+ assessment. But the blog doesn't say anything about eliminating _tracking_. Personally, I can live with analysis that's used solely for product improvement. If that's all github is doing, then the score goes up to an A.

But if they're siphoning off data for any other purposes - whether passing to the mother ship or otherwise - then the score is down to D-. The intent of EU cookie regulation is to make tracking and data collection transparent and opt in. Changing the implementation to server side might comply with the letter of the law but it violates the spirit.

It would be good if GitHub would clarify their position.


This is all detailed in our updated privacy policy: https://github.com/github/site-policy/pull/336


Thanks for the update. It appears the data will continue to be sent to Google Analytics from the backend.


Hi natfriedman, thanks for the transparency.

Removing Google Analytics is a good thing, thanks for that. I also appreciate that you use DoNotTrack to give users a choice (even if this is not available on Safari any more).

As it is explained the privacy policy. Basically you now use the same cookie "_octo" both for session management and first part tracking: https://github.com/github/site-policy/pull/336/files#diff-8b...

EU guidelines require that you offer granularity of choice for different “processing purposes”. See in this "Guidelines on consent under Regulation 2016/679" https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_gui...

In section "3.1.3 Granularity" paragraph #44. "If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom. [...] When data processing is done in pursuit of several purposes, the solution to comply with the conditions for valid consent lies in granularity, i.e. the separation of these purposes and obtaining consent for each purpose"

You grouped cookies together and removed granularity of choice. I think this is against the spirit of the regulation.

Overall I think the the change is positive, but grouping cookies to avoid a banner is still against the regulation.


I know it is not a site wide issue and is probably a minor thing, but have you also looked into tracking done by embedded media, like embedded Youtube videos?

In case of Youtube there is a no-cookie domain that can be used for embedding and then, while client still sends the request to them, no additional cookie is set.


Thanks for responding Nat. My interpretation from the PR:

You've stopped using cookies as a mechanism for marketing/tracking. But you're still doing it by other means.

Rationale:

1. You are still tracking and may share the data with 3rd parties. Justification: privacy statement [0] line 147. It states that data are "aggregated, non-personally identified" which might mean it's GDPR compliant. OTOH: you're presumably holding the non-aggregated data for aggregation purposes in the first place. IANAL but I think that needs consent. I don't know CCPA well enough to comment.

2. The sub-processors statement [2] says this includes Google (and Google Analytics specifically), LinkedIn and Eloqua (marketing analytics firm) among others.

3. Cookies and - possibly? - other client-side technologies are only used for running and improving the service. Justification: Line 238 in the privacy statement. (There's a typo in there btw: "complie" should be "compile" I think).

3. You respect DNT - line 244. Which, presumably, means you do not track user behaviour on any sites other than github? i.e. those in which you are a 3rd party.

4. However, the privacy statement line 31 [1] states: "GitHub may also collect User Personal Information from third parties." Interpretation: whilst you're not collecting 3rd party personal information using cookies, you are (or "may") do so through other means.

[0]: https://github.com/github/site-policy/pull/336/commits/fe1b6...

--

EDIT: clarified GDPR point.

[1]: https://github.com/github/site-policy/pull/336/commits/79a99...

[2]: https://github.com/github/site-policy/pull/336/commits/e98e3...


> OTOH: you're presumably holding the non-aggregated data for aggregation purposes in the first place. IANAL but I think that needs consent.

I believe this is actually fine if they can show they don't hold this data longer than necessary and have a process for destroying it in a timely fashion.

But IANAL either


thanks, didn't know that.


to downvoters: can you explain why? That's not passive-aggressive, just desire to understand. The intent was an objective analysis of the revised privacy wording from the perspective of tracking. Do you disagree with the conclusions? Something else? Thanks.


Why do you think changing the implementation to the server side will comply with the letter of the law? Or perhaps I should ask which law.

GDPR doesn't differentiate between the client side or server side, you're simply not allowed to keep information on users unless they've consented to for it to be kept or it is required for a legitimate functionality to which they have consented.


So I am not allowed to keep server logs without consent?


If you're processing server logs for marketing purposes, then no, you need consent to do that.

You also should be trying to scrub IP adresses from those logs as that counts as PII.


>You also should be trying to scrub IP adresses from those logs as that counts as PII.

That counts as personal data.

The GDPR doesn't care about "PII", as that is a US legal term and not something defined or references in EU law.


Fair point.


That depends entirely on the nature of the information that is contained in your server logs.


And the purposes for which those logs are being used.


The "cookie law" that created the cookie banner mess predates GDPR by some years.


Isn't using the data for product improvement still tracking? I don't personally care, but I'm not sure if the GDPR does.


I've been planning to post about this issue a couple of months ago, when I've noticed that GitHub was sending personal data collected on the client-side to Google Analytics without user consent.

Then recently they have introduced a consent popup, which was actually one of the most refreshing cookie consent popups I have ever seen: it contained two buttons, Accept and Reject. This popup has now been removed.

I think a lot of developers may have clicked on Reject, though removing tracking cookies will not absolve GitHub of the requirement to continue asking for informed and free consent under GDPR, if they will continue to process personal data, and share it with third-party services from their servers.

The current website code points to the same data still being sent to GitHub, only the implementation has changed.


When you say GitHub is collecting personal data in a JS request, what data do you mean exactly? IP address, browser, screen resolution type stuff?


I love it! As a web developer, cookie warnings infuriate me probably more than they should as at least half of the time they aren't actually either required (only essential) or effective (doesn't actually compy, just annoys).

I've had clients straight up demand I should add an ugly cookie warning to the beautiful site I spent a month designing "because it's the law". Then, when I asked them to provide a full privacy policy to go with it, I've often gotten the response to "just leave it empty, nobody actually reads that". Thankfully, I'm stubborn enough to have always been successful in convincing them that maaaybe they should listen to the person who does this stff for a living and not a sensationalist Medium article...


I wish browsers had built-in mechanism for showing the cookie banners. After all, cookies are just an HTTP header sent from server and it's up to the user-agent to handle it.

There could be a standard header such as cookie-privacy-policy which would point to url containing the policy in standadrd format (html?) and the browser could show it in standard way (by user's settings). Personally I would be happy with just a little "privacy policy" icon in url bar, similar to https lock icon and reader view icon (in Safari).


Back in the days there was the P3P protocol (https://en.wikipedia.org/wiki/P3P) supported by IE and Edge, but it didn't work out and was abandoned.

There is also `Do Not Track` header but it is not respected by most of websites.

You can also reject all cookies in any web browser, but then majority of web pages will not work properly.


I accept but don't save any cookies except certain whitelisted ones.

So I get a lot of cookie policy banners and I always click the full 'accept all' option because at best it'll just eat into their database storage and I'll arrive with no stored cookies the next time I visit the site.

The browser allows me to accept all cookies or non-third-party cookies automatically but I still get these stupid cookie policy banners that cover half the screen at the worst.

I'd really like a standardized way to accept all cookie policies with no questions asked.

(And, for the matter, something that automatically says 'no' each and every time a site decides that the best first thing to do is to ask me to give some feedback of the site before I've even used the said site.)


> I accept but don't save any cookies except certain whitelisted ones.

That's basically what happens in private mode (incognito), I guess. Would be nice if browsers used private mode by default, and you could "whitelist" certain sites you trust / want to remember your login.


This is not what most people would like. But you can tell your browser not to save any cookies except some whitelisted sites, e.g. in Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Plat...


Just install this extension: https://www.i-dont-care-about-cookies.eu/


Sure, there exists an extension for pretty much everything, but it's not an ideal situation that you need to install an extension for stuff like this.

Also, having too many extensions slows down the browser (because they need to parse/manipulate DOM) and extensions themselves are also a security/privacy risk and finding the good ones for every browser can be tedious.

Besides, my mom has no idea what's "a browser extension".


So tell her what it is :)

Most people just need one extension: uBlock Origin (or built-in Opera/Brave adblock) with a filter list from prebake.eu. No more ads and cookie banners. Easy as that.


I'm using this setup, and I still get cookie/ToS banners all the time, especially using Google (I think I'm accepting their new terms of service 4/5 times each day).


Just add these filters to uBlock Origin:

    www.google.com###lb
    www.google.com##html:style(overflow-y: visible !important;)


Quite a lot of "cookie banners" are really banners to allow third parties to track you.

Under GDPR, this requires a clear, unambiguous consent, freely given. How can you understand what you consent to if you blanket-accept everything? And thus the consent is invalid. And they need a new banner.


Some News sites literally ask for consent to over a thousand purposes in dozens of categories. Ist's really wild top assume that that's consent, informered or otherwise.


Oh but that behaviour is actually pretty clearly not compliant with the EU cookie law. It just hasn't been enforced (which isn't great).

They're not allowed to make it harder to withdraw consent than to give it.

I've also found, on the few times I humoured their "consent" system, found that each of these "tracking providers" (?) needed to make a request to a different domain to withdraw consent, and some of them simply wouldn't load.


To be clear, P3P didn't work because Mozilla and Google and poured gasoline on it, and then Facebook lit a match. Had competing browsers not been desperate to brand it as some sort of weird proprietary Micro$oft thing, we might have a better version of it today (as happened to most features of that era).


> There is also `Do Not Track` header but it is not respected by most of websites.

The naivety of this approach almost makes me laugh. I mean, it's good intention, but really we cannot just trust the "bad" party. Active client-side measures are needed (e.g. as Safari does).


You can install uBlock Origin and disable all third-party cookies in almost every web browser.


This is great. My experience is that many people claim to want analytics for their website but end up looking at it a couple of times and then never using it again. Meanwhile they're sponsoring and bolstering the position of internet tracking giants who - despite their claims - have no regard for user privacy.

Just sell your product instead of wasting time and money on bike shedding your website with whatever you believe is going to "skyrocket your sales".


And when people want analytics they often just really want headline numbers that do not require user tracking.

E.g. I've started using Fathom [1]. It's very basic, but for the sites I use it on all I really want to know is if traffic is going up or down or if any specific pages are suddenly getting lots of traffic.

[1] https://usefathom.com


No pricing page, and jesus, not even a menu. They want us to sign in before they'll show us pricing? fuck right off with that bullshit.


The pricing page [1] is linked further down, and from the sitemap at the bottom of the page. You have a point they should have made it more obvious though.

https://usefathom.com/pricing


Thanks.

Looks like they're only targeting large websites. I've never build a 100k/month traffic website, just lots of (maybe 300+) mom and pop websites.

Wish there was a $12/yr plan for websites that are lucky to get 500 visits a month.


You can use one subscription for however many sites you want (well,they use a drop-down to select site, so might not scale to huge numbers), and the pageview count applies to the total, so if you're the one who need the stats for all the sites, it can still work quite well.

But I agree, it'd be nice with a smaller option.


I'd go a step further, and say that most sites don't need cookies either. I wrote about it elsewhere a few days ago:

> Avoid having to put annoying EU cookie consent dialogs on your website with one weird trick: > Don't use cookies on your website.

> If you want users to be able to sign in to access your premium paywalled/onlyfans content, put that on a subdomain that has cookies and requires login.

> (yes this isn't applicable to all websites with cookies; it's just a nice idea worth considering)

=> https://pleroma.envs.net/notice/A1sZxGnSQ2Oi0oWMy0 originally written here


You don't even need cookie consent warnings for login cookies. Just for "drive by" ones.


Sadly this is often unfeasible if your site relies on reCAPTCHA. Are there any cookie-free GDPR compliant captcha options?


This is great! GitHub continues to, somehow, surprise me.

One question I do have, however, is whether or not the new homepage[0] which shows where people are when they open a PR actually reveals their present location. In the few samples I checked it did not seem that the presence of the person indicated matched their bio's location settings. If it is truly unmasking people's location I think it should be opt-in only, since it is private information. An employer or state may have issues with someone opening a PR from a specific country at a specific time, for example.

[0] It may be required to open this in an incognito browser.


I spot-tested a three of them and for each one I tested, it matched the information from the user's GitHub profile.

The users might not know it's being used for marketing on the home page, but it seems to be (again, just spot-tested) information that they provided for their /public/ profile.

Edit: NEVERMIND! Just checked a fourth and code from someone with "United States" in their profile showed as coming from Minneapolis.


The data is available unauthenticated here: https://github.com/webgl-globe/data/data.json

If anyone wants to do any further analytics on it, it's easy enough to pull PRs and lat/lon from that.

It does look like lat/lon might be a fixed value for each city (from spot checking a couple). If it's not, that would be surprising and a pretty egregious leak of user info.


Those locations come entirely from public profile bios, as provided by the user.


Then why do they sometimes not match?


I thought that used the bio. Interesting that it didn't match.


If they're not using Google Analytics anymore, it's probably time to remove the request to 'gascrolldepth.js' from the blog as well.


They are probably still leaving that option for themselves though


A lot of people have the misconception that the EU cookie law applies to all cookies, but as the blog post correctly points out, that just isn't the case.


True. Also even if you do track your visitors you can use privacy friendly (and ideally selfhostable) Analytics like Plausible https://plausible.io/ so you won't need the banners either.

Just don't include facebook like buttons or any of these widgets


Does anyone happen to know of a service like this that is free (not self hosted) for non-commercial, low-traffic sites? Or which costs less than ~$10 per year.

I have a basic Github Pages site, and I currently don't know whether anyone is looking at it, beyond the very few who take the time to email me. I don't need (or want) to know anything about my visitors, but it would be nice to know that I'm not simply tossing stuff into the ether.


> Does anyone happen to know of a service like this that is free (not self hosted) for non-commercial, low-traffic sites?

Panelbear is privacy-friendly, and has a free plan with 5,000 page views per month. Commercial use is allowed.

https://panelbear.com

Full-disclosure: I’m running this service. Feel free to ask me anything :)


Panelbear is great, I'm using it. I have a small website with < 1000 page views a month and the free plan of planelbear is perfect!

Thank you for providing this service.


Exactly what I was looking for. Thank you.


I would recommend GoatCounter.

https://www.goatcounter.com/


And there was me hoping for one of those old-school page-counter.gifs, but with numbers made out of goats...


I thought that tracking cookies needed permissions regardless of whether they were first party or 3rd party?


Parent commenter says:

> I currently don't know whether anyone is looking at it

You don't need tracking cookies to track simple metrics like pageview numbers.


EU law states that you have to disclose you are using ANY cookies that are NOT REQUIRED for the correct functioning of the site (for the end user).

So yes, use of tracking cookies, first or third party, would require a Cookie Consent Banner.


> not self hosted

you'll need a cookie banner then


Not necessarily. Only if personal data is collected by the third party.


I thought that with the recent changes to PECR they that clarified any non-essential cookie-like technology needs permission, irrespective of whether it's first party or pseudonymous. And additionally that analytics does not count as strictly necessary.

That seems to be the advice of the UK ICO: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...


You need to notify users, and give them an opt-out, if the cookies are not strictly necessary for the provision of the service.

Analytics cookies are not strictly necessary.


All I want to see are pageviews. That shouldn’t require cookies/fingerprints.


It shouldn't, but nowadays it always does.

Alternatively your pagecount will shoot to the millions if you have someone holding f5.


To be fair, most of them probably do. It's not like the introduction of GDPR in Europe 2 years ago suddenly made all of the shit a marketing dept shoves into Google Tag Manager completely legit and above board.

These third parties will take what you give them and _also_ take what they can get from your browser if you're embedding their script. Are you going to proxy those scripts as well to stop them getting the user's IP address and then geolocating it to grab even more info?

The cookie warning banner is bullshit only in the sense that it achieves nothing. Accept it or deny it, it won't change a thing. Same with the tracking consent popups: despite the law saying they should be opt-in by default, they're still treated as opt-out by default, meaning that all of these sites _still_ collect your data because you're blacklisting individual sites from tracking, as opposed to whitelisting them. You need to set a cookie to say that you don't want tracking and not thousands of cookies to say you do want it?

That's being tracked... it's all wrong. Literally everything you offer as information, or don't offer, is another node in their graph.


It really shits me that a lot of them you can't even deny it. They just have a button like "I understand".

WTF is that...


Or they treat continuing to use the site as consent. Some of them are really passive-aggressive about it too. I've seen cookie banners with wording like "We use cookies, because duh, who doesn't in 2020? Click here or keep using the site to accept."

Completely at odds with the whole "informed consent" thing.


And then they wonder why we use things like uBlock, which are pretty much the only tools we can rely on to genuinely revoke consent. Or revoke as much of it as possible.



I have nothing directly against cloudflare but I think it would be better to try to support one of the smaller analytics companies if possible. They are the ones who made products that got big companies like cloudflare interested in the space.


An analytics service designed to add value to another product and does not need to be profitable in itself sounds like the best kind to me.


"We are democratizing web-analytics" wow, really? Well the people have voted and they want no analytics at all. Thank you very much.


Oh, this is perfect, thank you!


I developed for myself krlx.fr/feu-analytics/ for exactly the same scenario.

It is self-hosted but on firebase and taking advantage of the free tier. Of course there is no personal data collected at any point.

There are still improvement to do, but as it works perfectly for me I have not be able to gather enough motivation to do that.



Few years back I created some HelloWorld application on Google's AppEngine (requires Java, Python or Go) and was positively surprised about its statistics on theirs dashboard.


I was also surprised but the number of different dumb bots that had tried to brute-force our app engine site on /wp-login.php

and it wasn't even running on wordpress


I get requests to /wp-login.php (and the like) on my simple Haskell web app hosted on my university's servers. They're quite persistent and I'm not even sure how found the URL to my app in the first place (the format is something like universityname.com/~userid/projectname, and I haven't linked it anywhere).


https://simpleanalytics.com/ Says this on their homepage: We don't use cookies or collect any personal data. So no cookie banners, GDPR, CCPA, or PECR to worry about.

Seems like a cool company/project to me.

But, it's not free :( $19/mo Still thought it's worth pointing out.


Netlify Analytics is $9/mo


My approximate budget was $10 per year, not month! :)


Fair enough! Probably not going to happen without self hosting.


Make the visitor counter great again!


Looked for a few minutes and couldn't find the full answer. How does Plausible calculate unique users if it can't store some type of identifier on the page?

I see this... "We do not generate any persistent identifiers either. We generate a random string of letters and numbers that is used to calculate unique visitors on a website and we reset this string once per day."

But where is that ID stored?


Probably like we do it for pirsch.io, by calculating a hashed fingerprint and throwing away the individual page hits once per day: https://github.com/pirsch-analytics/pirsch


What's the privacy benefit over storing a tracking cookie with expiry of a day? If at all, random cookie seems better for privacy as in your case if someone really wants it, they can recover the IP if the user agent is not rare by searching for all IP(4 billion IPv4), User-Agent(100 for popular browsers), the date(1 day as date is stored separately), and a salt(known to server), easily within reach of anyone.


It doesn't use cookies. Fingerprints are calculated on each page hit.

The salt must be treated like a password to make sure it's not that easy to brute force it and no one should get access to your database of course ;) It's not the strongest anonymization, but good enough considering that the hits will be deleted once a day by batch processing.


Seems like a good method and actually more accurate than they do... seems like they just do a hash of IP.


Hmm I think I've read something about it elsewhere and they also use more parameters than just the IP. Not sure.


> How can Plausible Analytics count unique visitors without cookies?

> So if you don’t use cookies how do you count the number of website visitors and report on metrics such as the number of unique users?

> Instead of tagging users with cookies, we count the number of unique IP addresses that accessed your website. Counting IP addresses is an old-school method that was used before the modern age of JavaScript snippets and tracking cookies.

> Since IP addresses are considered personal data under GDPR, we anonymize them using a one-way cryptographic hash function. This generates a random string of letters and numbers that is used to calculate unique visitor numbers for the day. Old salts are deleted to avoid the possibility of linking visitor information from one day to the next. We never store IP addresses in our database or logs.

...

> In our testing, using IP addresses to count visitors is remarkably accurate when compared to using a cookie. Total unique visitor counts were within 10% error range with IP-based counting usually showing lower numbers.

From here: https://plausible.io/blog/google-analytics-cookies#can-you-g...


A one way hash of an IPv4 address is no more private than the address itself. If you know the has algorithm, you can build a rainbow table of all the hashes in under a second. Even with a random salt it doesn't take long to build a rainbow table with all possible salts.


Doesn't that depend on the size of the salt?


To an extent, but there are easy ways to cut the search space. For example, you could make a unique request with garbage on it from a known IP every day, and then all you have to do is build a rainbow table for that one IP to find out what the salt is for each day, and then you can fully reconstruct the logs.


If the salt is a random 64bit number (for example) then "finding out" the salt is not trivial.


And unless I'm missing something, it seems easy to add plenty of bits to the salt until it's no longer practical to reverse.


@mattlondon: The salt is known to plausible, that is the only way someone can hash it.


This would be woefully inaccurate for websites with a large amount of mobile traffic (because of CGNAT), or university traffic, or etc.


Don't universities have a huge number of IPs because they were the first to use internet ?

Mine gives one public ipv4 per device that access the internet on the network (with some exceptions). Strategies varies but if you have a lot of addresses why not use them.


That might be true for some US universities, but it's definitely not true for the rest of the world.


According to Google, IPv6 traffic is up to 30% these days.


you can see the exact method on our data policy: https://plausible.io/data-policy


I’m guessing a cookie with an expiration of 24 hours, but I could be wrong


I would like to add https://pirsch.io/ :)


This looks really nice, but what’s to stop it getting blocked like all the other trackers once apple/uBlock/etc. add it to their database?


You cannot stop that. You can get around it for a while by serving the script yourself and setting a CNAME record for your domain to point to us. That's why we recommend integrating Pirsch into your backend so that it can't be blocked: https://docs.pirsch.io/get-started/backend-integration/


IANAL, but my understanding is that you might still need a consent box even if you use Plausible.

I've only skimmed over the docs, but it looks like they derive a unique identifier from the IP address and user agent which changes every day. IP addresses still count as Personally Identifiable Information under GDPR, so deriving an identifier from this for a use case such as analytics would likely require consent. This is speculation though so I'd be interested to hear what others think.

If it is critical to the operation of the website (functionality like storing saved items in a shopping cart, or security), then you wouldn't need consent.

In reality though, Plausible looks great and using it is a huge improvement over Google Analytics for privacy.


>IP addresses still count as Personally Identifiable Information under GDPR

The GDPR does not count anything as "Personally Identifiable Information", which isn't surprising as that's a US legal term.

What you mean is "Personal Data", and yes IP addresses are considered personal data under the GDPR.

>so deriving an identifier from this for a use case such as analytics would likely require consent.

Consent isn't the only legal basis for processing personal data, though, there are 5 others available.


> IP addresses still count as Personally Identifiable Information under GDPR, so deriving an identifier from this for a use case such as analytics would likely require consent.

Only if there is a bijection between the identifier and the IP address, so that you could re-derive the IP address from the identifier. Otherwise, I do not see how the identifier itself would count as PII.

This way of divorcing data from PII by replacing it with pseudonymous identifiers which cannot be linked back is a relatively standard technique for this.


My understanding is that this kind of active consent that we see as popups everywhere on the web nowadays applies to cookies only. So I would assume that if you can track user activity without a cookie you wouldn't need it. It should probably be stated in the privacy policy though.

I'm not an expert in this even though I'm a webdev from the EU, so I'm also interested in other people's input.


GDPR doesn't care if you're accomplishing the tracking with a cookie or using a different mechanism. You're not allowed to do it either way, unless the user has consented.


Since I’m being downvoted: The EU directive that specifically obligates websites to collect informed and active consent for the use of cookies is not GDPR, it’s the ePrivacy Directive.

I don’t believe that one should automatically conclude that just because a cookie requires active consent, any kind of ‘logging’ (local and temporary storage of IPs in order to track website usage) requires active consent. Those are two fundamentally different things.

I’m not saying you should hide the fact that you’re doing it. I’m saying it should be stated in the privacy policy.

Also remember that there is a big difference between ‘personally identifiable information’ and ‘sensitive information’ which are clearly separated concepts in GDPR. Not all collection of data requires active consent.

I did read my EU state’s guideline on GDPR in full, but I’m not an expert. I would suggest reading up on the ePrivacy Directive though, which is still in effect.


Not sure why you're being downvoted, yeah cookies are handled by legislation other than GDPR (ePrivacy as you mentioned).

However regardless of whether you're using cookies, I still think you need to collect explicit consent as GDPR requires a lawful basis of processing, and I don't see how analytics would fall under any of the other lawful basis's other than consent (_maybe_ legitimate interests?)

If you are using cookies, then my understanding is you need to collect consent where necessary under _both_ ePrivacy and GDPR.


Another solution is to do all the tracking in the backend. I'm not saying it's a good solution.


Or, don't do any tracking. I'm convinced that 99% of all analytics is discarded without ever being reviewed, analyzed, or acted upon.


This is probably correct.

On my personal web sites I'm using GoAccess, which is basically a new spin on a very old idea -- just analyzing the server's web logs.

https://goaccess.io

That's not as accurate as throwing around cookies and JavaScript, but I rarely check the log pages anyway, and when I do I'm less interested in raw numbers than I am in the relative performance of various pages. (And that's mostly just idle curiosity, e.g., are there some old articles that keep getting steady traffic from somewhere?)


Much like logging though, it's the 1 percent that isn't discarded that's important.

I agree with you by the way, but ...


Wouldn't that still violate the law but just be harder to detect from the client? If so, I don't think GitHub (i.e. Microsoft) would find it a compelling approach.


The backend already stored all the information about the users. Why would it violate any laws if it stored a bit more or a bit less info? Things can get tricky if Github exported the collected data to third party for analytics.


part of the GDPR law is the intent of the information you are storing, not the method. Cookie is just a technology. If you track your users using a DB it still applies and you need consent if the tracking is not necessary


I can't reply to the reply to this for some reason, but it's worth noting that GDPR and the cookie law are different, though related.


For very recent comments, click on the timestamp to get the single comment view and be able to reply.

(I had to do it here too.)


You folks might just be time limited on the reply - HN puts some brakes on "too fast" commenting


See my profile if you want, that was my first comment in hours. I think it is that sort of brake, (prevents heated discussions veing quite so quick-fire) but it's not on the user, it's on everyone for <'5 [or something] minutes ago' comments; drcongo's happened to be '0 minutes ago' when I loaded the page, so I clicked on it to reply.


Oh! Useful tip, thanks!


It would still be a violation because of how you're using it. The law isn't purely about what data you track, it's primarily about what you do with the data.


IANAL!!!! But I think, yes, there are still implications. GDPR makes no distinction about back end and front end AFAIK, it's just about what data you collect and why/purpose.

But note there are other reasons you can have for collecting data other than consent (something often overlooked) - for example I would guess GitHub would log IP addresses in the back end for a limited time for spam fighting reasons, and I think that would be fine.


To my understanding of the GDPR, as soon as you track any identifier that makes those data non-anonymous you still need consent for that. It is not about the cookies per se.


There are six legal bases for processing personal data, consent is only one of those.


Would that mean that you need consent for storing IP addresses in logs?


It depends on what you use them for, but I think you would need it documented that you do it and why.


I really hate the lies you see on a lot of new sites that they will send cookies "necessary for basic functionality."

You're serving articles, there's no reason for session tracking!


Without cookies they can't check if you closed the cookie nag.


I can see a need for cookies to mitigate against things like DDoS attacks, session management for paywalled content or just to leave comments on articles, favoriting certain sections. There are several reasons why as a reader you would want the site to be stateful.


How would cookies help mitigate against DDoS attacks?


Helps separate real traffic from DDoS traffic. e.g. traffic from someone that also visited the site prior to the start of the DDoS is vastly more likely to be real traffic.


Yes! If you use cookies for essential functionality (like keeping track of logged in status), you don't have to do anything. No banners, no annoyance for your users.

I dropped all third-party crap from my site way back and haven't ever needed a cookie banner.


How long can you keep people logged in before it becomes the bad kind of tracking?


Depends only on whether the fact that they are logged in is used to process any kind of personal data.

The question is not "how long". The question is what data, and what happens to it.


It is, because "logged in" is an abstraction - someone has to decide how frequently you have to contact the server before being considered to have "logged out".


a cookie representing authentication session with your app isn't personal data, and doesn't need privacy policy, especially if your login is arbitrary and not an email.

It doesn't matter how long it's active either, unless you use it to track users activity elsewhere


If it's used to determine identity, it's a kind of personal data.

However, as you say, it might be allowed by GDPR without requesting extra approval, depending on the way that it's being used and who it is shared with?

Hence my question about whether the length of time that you store this data legally matters (because since databases can be stolen, it eventually does). Compare with how ISPs must store all your connection logs for a specific amount of time.


a session cookie establishing your authentication session only links you with the account in the system. Now, what other data is attached to that account is another thing. For example, the typical forum of yore would only have to take care of emails at best - if it doesn't have personal data, it's irrelevant, because you can't link that identity with your IRL identity.

Length of time you store the data doesn't matter, except in the sense where you can prove that effectively you do not store it at all - for example by anonymization of logs so that you do not effectively store IP addresses, even if of course they have to exist in full in the system at some point to keep the connection open.


I think a lot of people are willingly misunderstanding this too


Also, it only applies in the EU. You don't need to display any banners outside the EU.

Not that I am pro-privacy invasion, I'm not, but I'm definitely anti-annoying-popups.


Except that if the sites don't do annoying things there is no need for annoying popups.

The EU law:

- doesn't require opt-in permission for essential cookies and similar. So basic non-personalized website usage statistics (analytics) do not need a opt-in only if it's tracking people in any way are such opt-ins needed

- if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either

- is not limited to cookies btw.

All in all this means that for any site not based on ad-revenue they fully can get away without needing any annoying popups, if they don't do some sneaky questionable things.

Even for ad's there are ways to do them without annoying popups, you just need to not track people, tracking the number of times a website was loaded doesn't require annoying popups, just tracking who opened it does.

Similar if you track people only after they clicked on the ad you don't need annoying popups on the site the add is one but only on the site the app navigates to (through only start tracking after opt-in). Which given that many adds try to sell you stuff and buying thinks only requires a account isn't that big of a problem as it might seem.

In the end you can say the only reason there are so many annoying popups is because most companies have not intention to respect the privacy of their users. Actually if you look into it and realize that many popups are not legally conform or borderline illegal it becomes clear that they do not only not respect the users privacy but the users themself.

Through I have to note, that while many (most?) companies can switch to respectable advertisement, some companies can't as easily do so.


The thing is, tracking cookies don't annoy me, because I block all cookies anyway (unless it's one of the few sites I need to actually log into), so they can't track me with them.

It's the popups that actually annoy me, especially because they keep on popping up -- ironically they need to store a cookie to remember that the user has accepted/denied, and my cookie-blocking blocks that cookie as well.

I think browsers blocking cookies by default and asking for permission before storing cookies is a better solution to this issue than a GDPR popups all over the web, and leaves far less room for malicious websites to track you in spite of the user denying.


But the EU law is not just about cookies. It's also about e.g. fingerprinting your browser which is very hard to effectively block in practice.

It's a common misconception that it's about cookies. It's about data processing, i.e. tracking. There is a different law then GDPR which is about storing data on user PC's but that is also not about cookies but about any browser storage and more or less got superseded(1) by GDPR.

(1): Ok, that is quite a oversimplification, but most popups are now about GDPR and having them also covers the other law.


> if you login you are known to have accepted the terms of service and as such after login no opt-in pop-up is needed either

Apologies if I've misunderstood your claim here but it seems to me that you are saying you can bury consent to processing inside your legalise.

That doesn't comply with the GDPR as I understand it; the consent must be informed and freely given. Informed in that case is debatable since you are lumping a lot of terms together. You certainly can't claim it's freely given if accepting the terms of service is not optional.


You consent to processing related to keeping you signed in. You don't consent to selling all your data away.


Hm true ToS checkmark is not enough, you need to make the opt-in part clear. But it should be enough to do so when creating a account and for every change. At least if you put a reasonable findable setting page in which allows you to review/change such settings.

But I still believe you can do it once on account creation and then never again if people are logged in and nothing changed.


Might not some websites need to store connection logs with IP addresses for anti-DDoS protection?


As far as I know if you only use the logs for DDoS protection and not for e.g. statistics and only store it as long as you need it for it and then delete it, it _I_ think should be legal without a popup banner, through maybe only if you don't give it to 3rd parties for DDoS protection? I have to look into this again.

The problem is the "only" part(s) ;=)

Oh, and you must reasonable convey that DDoS protection is essential for your service etc. Which if you ever had any (non super small) DDoS attack should be reasonable easy.

But I'm no lawyer and a bit of time passed since I last looked into it, so if I now would need to do a cooperate decision I would look it up again.


No, it applies to every resident in EU and EU citizens all over the world.

Edit: https://gdpr-info.eu/art-3-gdpr/ ("where Member State law applies" and "subjects who are in the Union" [...] "regardless of whether the processing takes place in the Union or not" respectively)

Edit 2: https://gdpr.eu/companies-outside-of-europe/ for more info: "The whole point of the GDPR is to protect data belonging to EU citizens and residents. The law, therefore, applies to organizations that handle such data whether they are EU-based organizations or not, known as “extra-territorial effect.”"


The cookie banner is NOT regulated by the GDPR.

It's related to the ePrivacy Directive, which is deeply intertwined with GDPR but a separate piece of legislation. It's not clear whether the GDPR's territorial applicability also holds for ePD. France in particular is drawing a divide between GDPR and ePD, because ePD lets them fine Google directly but GDPR require they mediate through the Irish DPA.


The "cookie law" as part of the ePD is indeed older than the GDPR, but the GDPR kinda supersedes it by including all tracking/data collection not just cookie data collection.

It's also not entirely correct that the GDPR would require going through the Irish DPA or wherever a company in violation has their primary EU presence for tax purposes. True, the GDPR says the nation where a company has the primary presence of business within the EU take lead within the EU should take lead, but the French courts figured out that Google's Irish subsidy is actually not making any decisions, the US parent is, and therefore it's fine for the French watchdog to issue fines skipping Ireland [1].

[1] https://techcrunch.com/2020/06/19/french-court-slaps-down-go...


Alright, so this gets in the weeds.

GDPR does not supercede the ePD. The ePD is, according to its own text, a law that extends the general privacy regulations to certain aspects of internet technology. So in many cases it defers out to the general privacy law in effect.

When ePD was passed, that law was the DPD, Data Privacy Directive. When GDPR was passed, all ePD references to the DPD became references to GDPR instead (this is Article 94 of GDPR). But ePD remains entirely in effect, just with updated references.

Most importantly, ePD requires Consent in certain cases, but defers to DPD/GDPR for what is the definition of consent. GDPR's definition of consent is much more stringent.

In cases where the ePD did not refer out to DPD, it remains unchanged by the passage of GDPR. So, according to CNIL, it does not include the one-stop-shop mechanism. See section "The competence of the CNIL" in the link below:

https://www.cnil.fr/en/cookies-financial-penalties-60-millio...


And as far as I know there is no ruling that using a VPN or other kind of proxy does make you count as "being in the country of the exit node wrt. actions done through the VPN".

Which means that you can't say a user is not residing in the EU (without a popup asking the user if they are residing there... ;=) ).

On the other hand if there would be such a law it would have kinda interesting consequences.


They can't apply EU law to citizens residing outside of the union.


Well, somehow we in EU have to comply with DMCA, which is not an EU law. Every company that _does business in_ EU can get in trouble for not following EU law irrespective where it violated that law.


EU has DOCDSM instead.


Sure they can, at least in theory. US citizens have to pay taxes no matter where they reside. Most countries will prosecute certain crimes abroad if those crimes were committed by their citizens or against their citizens or against the state.

The practical question is just if they can get hold of the people acting unlawfully.


What about former EU residents? (such as the Brits; or foreign residents)


Brits are being bunched up with Californians in FB terms

https://www.independent.co.uk/life-style/gadgets-and-tech/fa...


The GDPR is implemented in British law, that's how these directives work.

Once the UK leaves the EU, they're no longer obliged to keep their implementation of the GDPR. The government can choose to keep their implementation, and in practice keep the same regulations as the GDPR, or they could reduce or remove their privacy protection laws as they see fit.

With London being famous for their camera surveillance, I expect the UK to reduce some if not all of the privacy protections the GDPR brought to the world.


The GDPR is a regulation (hence the R at the end) not a directive.

It became UK law as soon as it was passed by the EU, and it didn't need to be implemented in to UK law.

The UK has already passed their amendments to the GDPR,[0] which will effectively fork it into the "UK GDPR". These will come in to force on the 1st of January.

There's a "Keeling Schedule" available[1], which is effectively a diff between the EU GDPR and the UK GDPR.

[0] https://www.legislation.gov.uk/uksi/2019/419/introduction/ma...

[1] https://assets.publishing.service.gov.uk/government/uploads/...


I read that and it said that it applies to data not processed in the EU. I always interpreted that as applying to data centers and such in something like an was availability zone in the US. It said “ the monitoring of their behaviour as far as their behaviour takes place within the Union.” I never thought that applied to EU citizens all over the world. EU citizens living in another jurisdiction would be subject to that jurisdictions laws right? For instance GDPR wouldn’t apply to a Spanish expat that lives in Thailand, as far as I understand it.


Yes, but if you reside in Spain and use a VPN with Thai exit node to access a site in Thailand you are stil residing in the EU and in turn the Thai website needs to comply with GDPR.

Through non compliance can only be enforced if the entity behind the website/app or similar does enter the EU or does business with the EU.


Yes it apply to residents in the EU, but not EU citizens outside of the EU. Unless I misread the link.


I really wonder genuinely if the regulation has improved anything at all. I just click through the banners without even thinking. It has become so annoying. The value I get is below zero. I wonder if the majority is like me.


The regulation explicitly forbids annoying banners, the problem is that there’s currently zero enforcement of it so websites continue breaching it and lying to themselves (and others) by thinking their consent banners are compliant.


>The regulation explicitly forbids annoying banners

You have to love how the regulator did not even try to define what they mean by "annoying". Thus making the whole law completely useless.

In my book, any single pixel of my limited screen real estate that gets dedicated to this useless regulation is annoying. If the EU wants to enforce this, they need to provide a way for me to basically say "Yes, I agree with all tracking cookies for all sites forever", and never see a banner again.


But that’s exactly my point. Why regulate if things get worse. If you regulate think about enforcing beforehand. What’s the use?


Enforcement is already happening. Multiple confirmed cases of fines being handed out to businesses, organisations etc :-)

More importantly IMO they are also contacting entities up front to tell them about violations and how to get compliant, the fines we have seen yet seems (again IMO) to be only for particularly nasty cases and/or cases where the entities in question refuses to change.

This means the fines we are seeing is just the top of the iceberg: most changes happens underneath the surface and only trickles up in the form of less annoying websites (or fines) little by little.


I take the time to check what I'm agreeing to.

By law it's default opt out for non-essential usages specifically to deal with people who are annoyed, but not everyone plays by the rules.


Yeah, maybe. But not by clever design. The opt-out boxes are usually designed as secondary buttons. The opt-in is designed as primary button. So if you want to change something you have to really think and make a deliberate choice, whereas most people in that moment just want to see the damn content of the site.


That's because the website operators deliberately design the experience to be obnoxious and frustrating.

They want you to have a bad experience if you decide to opt-out of detailed behavioural tracking, so that you'll feel pressured to "consent" to detailed behavioural tracking, and so you'll feel like the GDPR is to blame, even though it isn't.

I've put "consent" in quotes because it's not freely given consent if you are heavily pressured into it, and it's not consent at all if you end up believing you don't really have a choice.

These banners/dialogs do not even comply with the GDPR (despite saying the GDPR requires them), as GDPR says consent to non-essential personal data collection about you must be as easy to withdraw as it is to give, and the service you get must be the same if you don't consent as if you do.

I wrote a bit more about this here: https://news.ycombinator.com/item?id=25441131


Same here. and I'm on ublock origin and the rest. It's just ghastly, of all the scams (tech support and more) and other misery on the internet, the EU is just absolutely fixated on some of these random things.


I am also of this position – however not everyone in my team is. We are currently investigating this in my project.

Do you have an authoritative source which i can show our team regarding this?


More information is in Opinion 04/2012 on Cookie Consent Exemption of the Article 29 Working Party of the European Commission about Cookie Consent, which elaborates about the topic:

https://ec.europa.eu/justice/article-29/documentation/opinio...

(The §29 WP is now replaced by the European Data Protection Board, but that seems not to have issued any more current Guidelines or Opinions on that matter. Maybe they are waiting for a forthcoming ePrivacy Regulation. Also: IANAL.)


Well, it's a reasonable misconception to have, banners don't usually explain everything, they mostly say "hey, we use cookies", and not "hey, we use non-essential cookies".


Part of the problem is that when it first passed, the advice was to just add a cookie banner no matter what to be safe, since no one really understood the law and exactly when it did or did not apply.


You are right, and that unfortunately happened because nobody even tried to read the law (which is quite clear regarding this). It's easier to just follow other sheep.


The banners are an opportunity to have the user consent to more than they would otherwise consent to (“allow all”).


Right but it still seems like this could violate the GDPR, right? They say:

>>So, we have removed all non-essential cookies from GitHub, and visiting our website does not send any information to third-party analytics services.

But you’re still only allowed to use the cookies for the purpose the user gave you them for, right?

So, if:

a) the cookies are essential for the user session, and

b) you collect the cookies, without explicit permission, to maintain that session

then you still can’t use those cookies for other purposes, like analytics, right?

Edit: sorry for all the “rights?”, just want to make clear I don’t convey high confidence in this claim.


That's correct. Using cookies for the user session is fine and does not require consent as long as you really are just using them for the user session. The moment you use them for analytics, you have to request consent for analytics, even if they are primarily for maintaining the user session.


> The moment you use them for analytics

Not even then - there are plenty of analytics you can do without a cookie banner, as long as they don't identify the user.

Conversely, anything you do other than your obvious business requirements (e.g. if you buy something physical I need some address or identity to verify at pickup) requires consent whether or not it's analytics.

(Not a lawyer, not legal advice, jesus just don't track people...)


There needs to be the same kind if active consent whether it’s “required” or not.

The difference is if you can deny access for those opting out or not.


But wouldn't that consent be in the EULA? So long as they only track logged-in people, they'd have agreed to that.


No, it wouldn't be in the EULA. There are two parts of GDPR that would specifically go against putting consent to tracking in the EULA:

1. GDPR requires the consent check to be somewhere obvious and in plain language. That was specifically to deal with EULA's given to you in tiny legally compliant text boxes.

2. GDPR requires that you cannot make consent for non-essential usages of data mandatory as a condition for providing your services. Tracking only logged-in people for analytics falls into the category of non-essential purposes. That requires explicit consent, even if consent is not required to use the exact same data for authentication checks.


But wouldn't that be asked for at the same time as signing the EULA, i.e. at account creation? If you're avoiding banners, I can't think where else you'd put it.


If a cookie is not necessary (or you are using a necessary cookie for secondary purposes), then you need GDPR-valid consent. This means:

1. Consent must be separate from other terms being agreed to. So consent in the EULA would not be valid.

2. Consent must be an affirmative, unambiguous action. Pre-ticked boxes or bundled consent are not valid.

3. Consent can be revoked at any time. Revoking consent must be as easy as giving it.

So yes, you can ask for it from a user when you're having them agree to the EULA. However you can't have it as part of the EULA, it has to be an optional add-on. And you still need to let people turn it off afterwards.


No, GDPR does not say you have to consent to be tracked anywhere.


So, this is a case of “tech company thinks they found a clever GDPR hack, but didn’t and is still breaking the law”?


If we're talking about Github, no, I don't think it's a clever hack. I think they've actually ripped out the offending usages.

The reason I find that believable is that their core business is selling a git server with bells and whistles. From Microsoft's perspective, Github doesn't need to be doing any marketing because they kind of are the marketing.


Whether they complied in other ways is irrelevant to whether this case is non-compliant, and the point was about reuse of cookies for analytics, not marketing.


I don’t understand your point. You’re asking whether they’re trying to work a loophole or a clever hack, and I said that I don’t think they are and that I think it’s credible because they don’t have profit motives that would drive them to take that legal risk.


You don't think they do analytics on users based on these cookies session? Because doing that without the consent pop-up is (I claim above) illegal, and so the clever workaround fails.

I would be really, really surprised if Github were the only Bay Area unicorn that lacked a product manager nagging them for more analytics. The fact that they don't need to sell the analytics is irrelevant.


I can't speak for Github, but I can speak for my team in [tech giant]: if I wanted to do analytics on end users I'd have to go through a review to confirm that I would not be violating privacy laws. I literally couldn't query them if I wanted to without jumping through technical hoops with audit processes and paper trails.

I do believe Github is legitimately trying not to use that data for analytics. But whether some PM in there is querying that data for analytics purposes: at that point we're just speculating based on how cynical you or I want to be. I don't think that's a meaningful point.

Also: I'm not saying I don't think they do analytics. I'm saying I don't think they are using users' personal data for analytics. That's an important difference with respect to GDPR.


> then you still can’t use those cookies for other purposes, like analytics, right?

Yes. It’s not the cookies, it’s what you make the use of them.

The wording even predates GDPR. You could even dispense of the banner if you had DNT set to 1 or 0, since that would count as consent/not consent resp.


Pure analytics is exempt of consent from the gdpr point of view from my understanding and from explanations of our local french regulator.


Define "pure" ?


First Party maybe


Yes.


I just checked my cookies on the Github website and had several tracking cookies (including Google Analytics).

Then I realized I should probably clear all the cookies for Github, and start over with a fresh session. So I deleted all cookies that Github had given me (which was 12) and refreshed the page. As expected, I was now logged out and Github immediately issued you me 4 new cookies.

  • _gh_sess (a fresh session cookie)

  • _octo (not sure what this is, might have something to do with cache-busting? Looks like it contains something resembling a version id/string)

  • logged_in (my logged in status, now false)

  • tz (my timezone)
All of these are valid cookies (assuming that _octo is for cache busting) that would not require a cookie banner.

So then I logged in. I now have 10 cookies. None of them appear to be tracking cookies.

  • __Host-user_session_same_site (14 day session token)

  • device_id (this contains a random string to differentiate this device. Initially I was concerned with this, thinking it might be a fingerprint. But it is far too short for that, and it appears to be a flash cookie. It expires as soon as it is issued, so it only lasts one request. This is likely used to improve your experience in the case that you are logged in across multiple devices to differentiate which device is making a request within the current session)

  • gh_sess (same as before, session)

  • _octo (same as before, presumably cache-busting)

  • dotcom_user (contains a string with my github username)

  • has_recent_activity (boolean value, likely used to display "unseen notifications" on the front-end)

  • logged_in (same as before, except now true)

  • tz (same as before, timezone for frontend time displays)

  • tz (now have 2 timezone cookies. Both are currently the same timezone, although I assume the first one is a timezone gathered from my system clock and the new one is a timezone gathered from my github settings which they now have since I logged in. This is probably a bug where they expect to overwrite the first one, but since one is set to the github.com domain and the other is set to all github subdomains then it didn't overwrite)

  • user_session (yet another session token with 14 day expiration. However the session token in this cookie and the __Host-user_session_same_site cookie are the same. Not sure reason for the duplication)
So those are all the cookies that Github now gives you. 2 of these seem to have duplicates. Meaning the same could be done with 8 cookies instead of 10. But regardless, all cookies seem to check out. None of these are tracking your usage and are there to improve your logged in experience. Tracking things like your username and recent activity boolean are most likely being used to save making the same database queries for every request. The others are just tracking sessions, which is something that users definitely do want. The 14 day expiration is a good middle ground between convenience and security.

At the beginning I mentioned that I had two tracking cookies before I cleared my cookies. These are gone after the refresh. So it looks like github has in fact stopped issuing tracking cookies altogether. They also seem to have removed Google Analytics entirely as I don't see the script on their website at all.

So all-in-all this definitely checks out. I don't see any GDPR violations here or reason to display a cookie banner anymore.

I assume they still have analytics, but the analytics are all happening server-side which provides them basics like pageviews and visitors. And since you have to be logged in to do almost anything in github they don't need cookies to track what you do while logged in, thats all going through their servers and databases anyway.

I know plenty of people here have problems with Github, but I think it is exciting to see a large company like Github (Microsoft) take this step.


> I assume they still have analytics, but the analytics are all happening server-side which provides them basics like pageviews and visitors. And since you have to be logged in to do almost anything in github they don't need cookies to track what you do while logged in, thats all going through their servers and databases anyway.

Considering Microsoft's size, wouldn't this still be a concern, and might even still violate GDPR if they were to use identifiers like IP or Microsoft accounts between their various services ?

For an even more extreme version: see Google or Amazon (AWS).


Are we claiming that if GitHub has a dashboard like “number of concurrent sessions” and “average length of session” and “unique users who touched this feature” it would be a GDPR violation?

Because I can’t imagine that they don’t.


It looks like you can still be tracked as long as you are logged into your Github account? (Or even if you are not logged in as long as only Github/Microsoft is tracking you?)

Another question is how exactly can Github be trusted to not send this tracking to Microsoft? It's not like this is something that we can check... I don't think that the EU is going to send inspectors to Microsoft?


I don’t think this is a problem for GDPR. As long as there’s no personal data involved you can count active sessions, aggregate data etc


How would you count unique users without processing any records corresponding to particular users?


seasion ids are unique? are they personal data if you cannot link them to an individual? count those. let’s say you are paranoid and someone, somewhere can link those random ids to people. So hash those random ids with a key that this someone has no access to. Now you have anonymized ids you can count uniquely and that cannot be linked to individuals.

You can anonymize data if you really want to and use it for understanding trends, usage etc in a privacy respectful way. Few companies bother these days though. And yes if you want a 100% watertight way, it’s hard.


what about identifiable information like ip addresses?


generally they are used to protect against DDOS and to have forensic data in the case there is malicious behavior and are allowed as essential to operating the service.


But then they can read the logs and track you anyway?


Sure. But that would be against the GDPR if you didn't say you were going to use it for that.


And who is going to check and enforce that?


That is within the domain of the EU governments.


IP addresses are only considered PI if combined with other datapoints.


> A lot of people have the misconception that the EU cookie law applies to all cookies, but as the blog post correctly points out, that just isn't the case.

A lot of people also have the misconception that the EU cookie law applies to them, even if they are not in the EU and have no EU physical presence.


The GDPR applies to anyone anywhere processing personal information (such as IP addresses) of people inside the EU (both EU and non-EU residents).

That doesn't mean that you're necessarily at risk of any lawsuits or effective action, but what you're stating is wrong. Physical presence has nothing to do with it.


As a corporation, of any size, you are not beholden to laws made in other countries, unless you do business in that country or have a presence of some kind in that country.

With exception of large, international organizations, that doesn't apply to nearly all business outside the EU.


No, it absolutely does not "[apply] to anyone anywhere processing personal information of people inside the EU." I don't know why people keep saying this, I have no idea where this misconception came from.

https://ec.europa.eu/info/law/law-topic/data-protection/refo...

>When the regulation does not apply

>Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.


Recital 23 of the GDPR provides some more information about when an organisation would be considered as targeting users in the EU:

"In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."


The EU can say this all they want, but the reality is it has zero teeth for any organization conducting business outside the EU, with no actual presence in the EU.

EU laws simply do not apply to the world, even if the EU thinks they should.


> The EU can say this all they want, but the reality is it has zero teeth for any organization conducting business outside the EU, with no actual presence in the EU.

Perhaps not, but the EU is the world's second-largest economy (only $2tn behind the US and $4tn ahead of China) accounting for about 1/5th of the global economy.

If one wants to operate a company that does international business, one will probably want to do business in the EU, which means following EU law in such matters.


Wait, is that true? You need to have a physical presence in the EU?

If so, why did everyone scramble to meet the requirements. Was it a scam?


It's not about physical presence. It's about whether the EU could do something to punish you. For every big company that is true. For example the EU can force Visa/MasterCard to stop doing business with you.

If you're small enough, then the EU won't bother doing anything.

If you don't even depend on any 3rd party that is vulnerable to EU will then you can fully ignore everything. That can be tricky to achieve though. No common money transfer methods and you must be self-hosting.

Also, all of this isn't new. The US has been enforcing its will globally in a similar fashion for a long time.


People get scared of lawsuits, especially if they're from a very litigious country like the EU. Companies lobbied against the law hard, spreading the idea that any visitor of your website could sue you for millions because you sent a cookie header. Reality is much less scary for most decent people.

Technically, the law applies to everyone worldwide, regardless of location. However, if you have no business in the EU and don't plan to expand your current business operations to the EU, you don't need to worry.

Hell, if you don't meet the requirements, the relevant enforcement departments generally give you plenty time to implement the necessary requirements or block access if you're a dick. The exception, of course, is data brokers and huge companies like Facebook or Google where the impact is much larger.

The GDPR doesn't expose you to lawsuits from anyone but the privacy monitoring instances of EU member states. The average American blog or news site isn't nearly large enough for any government instance to start a lawsuit.

You can also ask yourself: so what if they fine my company a €10.000. They're not going to send a team of special forces over the Atlantic or through Russia just to extract the cash from you. You only need to pay the fine if your company ever needs to do business in the EU. If your company structure makes your personally liable, this also impacts your future holiday destination decisions, but you can live perfectly fine without seeing the Eiffel tower.

A lot of very similar laws are also being passed in California right now, which will probably be a lot more dangerous than any GDPR restriction, but if you follow the GDPR you're pretty much set to protect yourself from Californian lawsuits as well.

Most of the GDPR is just "don't be a dick with people's data". If the fear of not meeting requirements stops the free-for-all data exchange market, then I'm perfectly fine with that.


Without the LAW we still would have those cookies.

And github wants us to look at them with big eyes who amazing they are.

There should have never been any other cookies first hand.

The end.


I hate the standard wording on Cookie banners. Most of them should read:

"The site uses cookies. Actually it doesn't - you are not logged on and we don't need to maintain state. But our advertising partners, their partners, and their partner's partners all love to set tracking cookies. Click here to consent to three dozen cookies from around the globe."


Good lord, everyone needs banners and popups?

Why not just let browsers controls who sets what cookies?

I'm tired the endless cookie popups, can we come up with an "allow cookies if the browser accepts them" standard as long as that guarantees no cookie popups?

Then browser vendors can ship a delete all non same origin cookies on tab close or something.


This is (mostly) based on EU law; entities that set cookies and track user data are required to get opt-in permission from users before doing so, and if the user declines, the entity cannot offer a degraded service.

At least that's the idea. In practice, almost everyone just throws up a banner that says "fuck you, we're selling your data as hard and as fast as we can," with no opt-out available, but they pretend that this is compliant with the law.


My favorite of the week: Doordash. Doordash does not use two-factor authentication, except for one thing: opting out of having your data sold. For that, it sends an SMS message to your phone. Since I signed up for them using a landline, the SMS message is lost.


Its a shame the EU became laser focused on cookies, which can be managed technically by browser settings, and not on dark patterns like these. Or how US consumers complain about being able to subscribe to a service via the web but must call a customer service person to cancel, often with a lengthy wait, dropped calls, and being transferred to a sometimes rude 'retention specialist.'

There's so much more pressing than just cookies imo.


Contrary to popular belief, GDPR has nothing to do with cookies and isn't even about the web specifically. It is - as it says right in the name - a General Data Protection Regulation.

The very long and well-sourced wikipedia article doesn't even contain the word "cookie": https://en.wikipedia.org/wiki/General_Data_Protection_Regula...


> 3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

This if from article 7 of the GDPR [0]. Clearly the situation described involves a much harder time withdrawing consent than giving it - which goes against the law.

I may have misunderstood what you meant but how is this being laser focused on cookies? This articles applies beyond the Internet anyway.

[0] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...


Oh man this makes my blood boil, another reason ill never thouch MS again is they they removed the cancel xbox live subscription button for NZ subscribers and I assume other locales where they didnt have some law forbidding it, the feature to cancel was there but they decided if they could to hold you hostage and made you call and waste lots of time via as painfull process as possible to cancel


The new one I'm seening is you opt out easily enough, but there's a subtly hidden tab called 'legitimate interest' and every ad network claims to have a legitimate interest in harvesting your data, even though you've got no business relationship with them.

What should be happening is every company that's done that should be getting massive fines, but instead all the enforcement agencies are doing nothing.


If a company is going to lie or skirt the law about their cookie use, why show the banner at all? It's almost worse to show a decline option that does nothing.


It's basically a form of malicious compliance.


Malicious compliance is still compliance. Somebody being told "Please watch the pressure gauge." and then staring at it as it goes outside of safe regions is doing exactly what they were asked to do. This is blatant noncompliance with the thinnest veneer of respectability.


Then you can lobby to change the law because the users-electors are annoyed and it's not your company fault every website is doing it.


Yeah, people should start reporting these sleazy sites to their authorities if in the EU. I'm hoping that GPDR enforcement will eventually get up to speed.


Except that those authorities are often stripped of resources toothless organizations often made to serve as digital potemkin villages to the public, everyone knows this and can't be bothered one second of their life to be wasted on that bs.


I typed "cnil fines" (the CNIL being the French data watchdog) on google which led me to their sanction page [0] which features 100M€ fines to Google and 35M€ to Amazon _last week_. It is surely not much in the grand scheme of thing but surely this is more than a mere Potemkin village.

[0] https://www.cnil.fr/fr/tag/sanctions


That's true, but I wish they spread their reach wider. These fines to Google/Amazon/Facebook make the news, but are just a slap on the wrist to these giants. What would work much better is a wider campaign of smaller fines, so that everybody in the sleazy business would know or heard of someone who was fined.


good that at least in one country they do something, but everywhere else it's wild wild web and the bandits are not threatened.


I typed "UK data watchdog" (for I did not know its name) and while it is true that I needed more clicks than for France, I found their enforcement page with their list of fines [0]: £18m here, £2m there...

[0] https://ico.org.uk/action-weve-taken/enforcement/?facet_type...


It's not actually doing it's job, it only goes after certain types of easy targets:

https://www.openrightsgroup.org/blog/parliament-must-hold-th...

They also had a massive budget shortfall which meant they sent out what amounted to a protection racket letters demanding £40 per year from every UK business, even though almost none of those businesses should be paying it.

All this while simultaneously investigating the ad industry, finding it is egregiously breaking the law, but then doing nothing about it.

The UK's ICO is taking an extremely broad definition of who should be paying it, but an extremely narrow definition of who it should enforce against.

I might add that the £40 it is demanding is almost 3 times the normal £15 yearly fee for running a business in the UK.


In the UK, BA was fined £20M recently, although that was for egregiously failing to protect customer data.


I have now started reporting stuff. It was easier than I thought :-)


Legitimate interest exists, and we use it at work. But because I work in the field of security, and for the sake of our infrastucture, we log specific informations and might drop a mandatory cookie at a time.

Everything outside that field cannot, I guess, be considered as legitimate interest.


The absolutely funniest interpretation of ”legitimate interest” is in a recurring spam message I get from (of all things) an email lead marketing company.

They have small print after each of their emails that says that GDPR allows them to email me because they believe I might be legitimately interested in purchasing their services.


I always look for that - and the 'deny all' button. They do not have a 'legitimate interest' to track the hell out of me.


It's not really about cookies but more about non-essential information gathering, of which tracking is a part, and some forms of tracking use cookies. So basically, three levels deep before we go from the law to cookies. Then again, people have an easier time talking about 'cookie popups' instead of 'information harvesting', which sadly hides the real issue.


Yeah, I always wonder why this can't be handled like "prefers-dark-mode" and then the answer is always "because then who would let them do it"


What keeps back Mozilla to implement this setting and lobby for a general Web API for expressing cookie consent? As far as I can tell, their users would be extremely happy about that.


Because it won't take off. Right now, the advertisers are basically hoping for you to be too lazy to click around ten minutes to find the 'no'-option. If every user would be presented with a fairly weighted chance once, hardly anyone would click yes. Accepting this standard would undermine their business even more.


That existed. https://en.wikipedia.org/wiki/Do_Not_Track

It failed horribly because it was voluntary. But now that it's a GDPR requirement, perhaps that might have a snowball's chance in hell of succeeding.


No, it failed because it acts on the wrong side. If you don't want to be tracked you shouldn't send cookies in your request.


It can, first iteration used the Do-not-track header, but that died in the standardization process, now there are a movement for the Global Privacy Control header that you can read about here: https://globalprivacycontrol.org/


Once, and only once, since GDPR was implemented, I found a banner that was actually compliant with the GDPR. It defaults to allowing only necessary cookies, requires affirmative consent before any other cookies are used, and makes rejection of tracking have no additional steps compared to accepting tracking. Every other banner I have seen will violate those in some way, either saying that continued use of the site constitutes acceptance, or requiring unchecking of several boxes before clicking accept, or requiring going to dozens of affiliate websites in order to search out and disable tracking settings there.

As in, this is the first GDPR banner I've seen that is actually legal under the GDPR.

https://www.freedomforuminstitute.org/


Sad but true, i wish there was some way to change the current state of affairs, but EU is a juggernaut that has lost track of its citizens wishes regarding cookies.

One of the most precious things we have is time and the constant cookie interruptions are a nuisance that should be kept from sight.


they sort of opt in. its pretty ingenious really.

1-click to opt-in.

multi-click and losing your current page to opt-out.


Would it be possible to set up a global cookie exchange? Some sort of browser plugin that lets us all swap tracking cookies?

Sharing is caring.


> the entity cannot offer a degraded service

Does this mean that sites that offer free but ad-supported content still have to offer that content? So I can watch those free Youtube movies and listen to those Spotify tracks ad-free because EU Law says fuck you.

How is this fair?

Edit: Okay, okay, non-targeted (and no 3rd party) ads are okay, got it xD


Spotify can show you non-targeted or contextually targeted ads, as is done with TV, radio, print media, movie theaters, billboards, etc.

The fact that spotify doesn't want to because it's less profitable is where EU law says fuck you.


You can display ads just fine without using cookies. You just can’t track people across the web.

Also Spotify can easily require a free login and associate everything with that, no tracking cookies required. They just can’t associate your playlist with your web browsing habits.


No, it just means those ad-supported sites cannot use cookies to spy on you in the name of personalized ads. They are still free to display "generic" ads including content-related ads. Same as old school TV, radio and print ads really, which couldn't track me either but sustained those broadcasting companies and publishers well enough.


Billboards, newsletter ads, flyers etc won't track whether you look at them as well, and last time I checked print advertisement still kinda sold.

Tracking is not necessary to show ads. Certainly there are business models which depend on this, but hey who says our society benefits from those? Targeted advertisement and free informed democracies don't mix well IMO.


Especially ironically, Facebook has been taking out newspaper ads to whine about how it needs targeted advertising to survive, and how mean Apple is harming them.


Those ads will just have to be served without the tracking. You know, like how it has worked for decades on television and radio.


How does no 3rd party tracking without consent mean "ad-free"?


Two objections.

1. A law that aims to prevent stealing should be deterring thieves, not just regulating padlocks.

2. Technical measures are insufficient because cookies are regulated by purpose. A third-party cookie for fraud detection is allowed; a first-party cookie for analytics requires consent. It also prevents using necessary cookies for secondary purposes, something that literally cannot be accomplished through technical means alone.

As a minor point, the so-called "cookie law" also regulates browser fingerprinting. I have a hard time imagining that you could legislatively mandate effective anti-fingerprinting approaches.


The reason you are provided many free services is because you ARE tracked / analyzed and marketed to. That is the CORE of the business. The popup will say, do you accept this cookie and being tracked to use this free service. Everyone literally clicks yes. I can't believe the billions of wasted clicks and manhours that have gone into this charade.


> Why not just let browsers controls who sets what cookies?

Because it doesn't have anything to do with cookies. You don't need a banner if you use CSRF cookies, you don't need a banner if you use them for stuff like CloudFlare's anti-DDoS script, and you certainly don't need a banner if your site requires cookies for basic functionality like logging in.

The browser can't possibly tell what the server is doing with its cookies. It might even be using a single cookie as CSRF protection and ad tracking at the same time.


>"allow cookies if the browser accepts them"

isn't that the 'allow 3rd party cookies' setting ?


> Then browser vendors can ship a delete all non same origin cookies on tab close or something.

That doesn't prevent Facebook or Twitter or advertisers in general from tracking you across dozens of pages or more, it just means that they'll have to issue you a new cookie each session.


I feel that browsers should implement a permissions grant pop-up for when a site attempts to set a cookie with SameSite=none, and the cookie api can be extended to enable explanations to be given by the developer.


This essentially moved the banner into the browser, and will make will make ad networks tell websites to not use SameSite=none, but use SameSite cookies and tell those ad networks behind the scenes. There are plenty of ads now already that are seemingly first party hosted (and go as far as transmitting the ad content through e.g. websockets to avoid adblocker detection).


> Why not just let browsers controls who sets what cookies?

This is actually the case, what do you mean? All browsers that I know of (firefox, chrome, elinks) allow the user to control what to do with cookies.


This is where we were before the GDPR. You can order your browser not to accept any cookies. But since you need atleast one cookie (or other way of persisting data on the client) for stateful http connections the burden to sort out the bad ones is on the consumer. This is exactly what the legislation wanted to prevent.


> Why not just let browsers control who sets what cookies?

Browsers wouldn’t fall for dark patterns.


At least it raises awareness on how tracked we are.


Not all cookies are born equal.

I would like to store a cookie or a client-side cert to remain logged in, but not the other cr. Granted, they could use that cookie to track me, but this is what GDPR is about.

IIRC, Internet explorer used to ask you for each cookie, circa 2000. These pop-ups became more and more common with time. The web would be unusable with those nowadays.


Practically there is only one browser, Chrome. And we know that it's not in Googles interest to do any of that. They are actively fighting and diluting tools and techniques that would prevent tracking.


I hate the implication that those banners are some sort of consent. They're so commonplace now that people blindly click 'okay' or close them just to be able to read the site. If the wording was something else ("you agree that we can take your first born child") would it even hold up?

The worst is when the banner says: "This site uses cookies. Agree / Disagree" -- it's not even asking for consent.


The worst is when the banner says: "This site uses cookies. Agree / Disagree" -- it's not even asking for consent.

Some sites don't even give you a "Disagree." Liberty of London has no way to opt-out: "By closing this box or by clicking accept and close, you agree to our use of cookies."

https://www.libertylondon.com


I have never once in my life clicked on any of these banners. In no way have I given them my consent. I simply ignore them. If they track me, they're breaking the law.


the law requries either consent or legitimate interest ( there are even more options - but not relevant here ). So they can track you without consent and not breaking the law.


"Legitimate interest" (Article 6.1.f) is one of the weaker clauses for lawfulness of processing as it comes with the following caveats:

1. Having some legitimate interest is not necessarily sufficient - the privacy interests of the data subject can override the legitimate interests of the controller (Article 6.1.f itself), so the controller has to explicitly take the privacy interests of the data subject into account, and the reasonable expectations of data subjects matter. So this can be tricky, as it's up to the organization to demonstrate that their legitimate need outweighs the data subject interests.

2. the right to object of Article 21 applies for this clause, with explicit clarification in 21.2 that yes, people do have the right to object to direct marketing profiling;

3. the controller is required to explicitly inform the users "At the latest at the time of the first communication with the data subject" that they have the right to object to this processing (Article 21.4, and Recital 70);

4. As article 21.5 states "the data subject may exercise his or her right to object by automated means using technical specifications", so this opens the way for specifications such as the upcoming Global Privacy Control header (https://globalprivacycontrol.github.io/gpc-spec/) which would be a legally binding "I object" mechanism.

Because of this, whenever an organization can assert some other basis for lawfulness of processing (e.g. consent or performance of contract) then that would be a safer option than trying to assert a legitimate need.


Very true! yet lots of companies still (try to) hide behind it. My recent experience was with Sonos. They heavily track you without opt-in/explicit consent and hide behind legitimate interest.

https://blog.gingerlime.com/2020/sonos-is-spying-on-me-and-y...


when it comes to cookies the ePrivacy directive 5.3 is more strict and requires explicit consent for non-essential cookies and similar technology (incl. fingerprinting). Look up the recent case against Apple IDFA. Legitimate interest does not come into play here actually.

on mobile so can’t easily post links unfortunately. EDIT: here’s a couple of links

https://noyb.eu/en/noyb-files-complaints-against-apples-trac...

https://blog.gingerlime.com/2020/does-ios-14-protect-your-pr...


There are somewhat strict rules of what is legitimate interest. And sending data to a US company (Google Analytics) even requires some extra steps beyond normal consent, now that the privacy shield has been scrapped.


disagree button is the "Close" button unfortunately.


and often it works like - please leave the site nothing here for you button. Amazing how irl businesses use such types of third party booking systems with ads and other crap showed down your throat, that's for anything from hairdressers to carpenters, one would think at least they don't require you to login via fb, ah waaaait, some of them do. The web dystopia is here now, enjoy it.


You sound like the guy who wrote this:

"We're not going to lie to you. Your privacy isn't our priority. It's not even close. Not because we want to track your every move. But because we simply don't care. We'd rather spend what limited time we have actually improving the web site. We're into taking pictures and adding content, not obsessing over what your dog had for lunch so we can sell it to MegaEnormousBigCo. We're not tracking you. We're not tabulating you. We're not folding, spindling, or mutilating you. Seriously, your personal life is not important to us. However, you may or may not be of interest to the people who advertise on this web site."

https://www.chicagoarchitecture.info/privacy.php


The last sentence is the key part. I could respond in kind: No one cares if you care or not. We only care about the people who are willing to buy that stuff from you.


The thing is, that's bullshit.

Here's the other perspective: Data brokers don't really want your data if you don't want them to have it. It's a legal liability for them, and most of them are struggling to work at the scale their customers demand already. But publishers want high advertising rates and that means advertisers want to make good bids and that means both actually want a data broker involved to deal with the technical (collection, filtering, aggregation, ETL) and legal (GDPR) bullshit.

But then publishers and advertisers don't do their due diligence or decent engineering and just shovel illegal shit to data brokers on the backend. The ones that shut up and launder it do well; the ones that actually try to do a good (technical, legal) job drown in account management and data processing overhead.

So fuck that site. They are the ones that care about your data, they're just making a show of keeping their hands clean while they pay someone else for the dirty work and hiding behind their (half willful half stupid) ignorance of how their own industry works.


Gotta love some good customer flattery


This honesty is refreshing.


+1


I find these pop ups weird. Shouldn't we get an option to say, "Disable tracking"? These pop ups don't really have any utility because a banner won't stop them from reading the article.


“And we would rather not have this crap but nobody pays for content are there only two types of ad networks: privacy preserving and paying so we’re stuck. Please call your congressperson to complain [here].”


”Businesses are the real victims.”

—Another fake quote


I'm confused.... AFAIK the biggest ad company, Google, doesn't share your private info. It's not in their interest to do so. Instead they keep it to themselves and then offer ads by categories so as a 3rd party I can say "Please target this ad at 'video game players'" but I can't ask "give me the names of video game players"


The issue is by including google tracking on their web page, then from a legal point of view the publisher is sharing your information with Google


Google is the company that your info gets shared with.

Google being the biggest ad company does not give them the right to surveil all that walks the earth.


So what happens if one consent to it, but also have third party cookies disabled in one's browser settings?

Is disabling it there globally æquivalent to not accepting on such banners?


Consent often involves more than just cookies. Consenting essentially allows them to use other tracking technologies beyond cookies such as IP addresses or browser fingerprinting.

This is also why the GDPR requires consent forms instead of relying on browser cookie settings, as it covers the intent of tracking itself as opposed to any technical means by which it is achieved (and this is why functional cookies such as for logging in or shopping carts don’t actually need consent at all).


The wording of these banners rarely suggests as much.

They talk about cookies, and little more.


well most sites still generate at least some kind of csrf cookie. multi language site sometimes even have tz/lang


TZ/lang preferences do not require consent, a CSRF token for a logged in user seems to me to be legitimate interest too, but I suppose you could see it as an identifier that can be linked back to the user. I still think if you're using it just for security purposes it counts, but the fact that the same identifier could be used for tracking based on differences on the backend is one of the reasons why this isn't just based on browser cookie settings.


well it's legal to create a hash and save it inside a database to count unique users. if the hash is not connected to any info that would identify a user (btw. user agent is some kind of identifing stuff) it is fine.

what I wanted to say is that cookies are not illegal by gdpr means and gdpr does not make a lot of stuff illegal, it's just that SAVING personal information or information that could identify somebody needs explicit permission.

edit: another thing ip addresses, by german law you are required to save it, when a user can register on your site and your site allows users to submit data. because authorities force you to give them out when a user did something illegal. (§ 7 Abs.1 Satz1 Nr.4 TKÜV, https://www.gesetze-im-internet.de/tk_v_2005/__7.html) In germany it's basically: fuck the privacy if they harmed our law! or at least you need a way to "activate" saving ip addresses.


How do you create the hash? If it's based on something that you can derive from the user (let's say sha1(IP address + User Agent), that seems pretty clearly identifying. If you generate a random identifier but save that identifier in their cookies and send it back next time, also pretty clearly identifying.


> How do you create the hash? If it's based on something that you can derive from the user (let's say sha1(IP address + User Agent), that seems pretty clearly identifying.

of course that is forbidden. and that's exactly why it is really hard to tell if companies honor it.


Why does that matter? If the advertisers delivered cookied via the main site server, would that change your experience?


This wording should be required by GDPR. :)

If that would be the case, maybe more sites would follow GitHub here.


Yes, like on cigarette boxes with mandatory, non-dark pattern, visible without scrolling 3 meters button to choose "Don't agree, Continue".


Yes, like on cigarette boxes with mandatory, non-dark pattern, visible without scrolling 3 meters button to choose "Don't agree, Continue".

And then Facebook takes out full-page ads attacking your company for allegedly hurting "small business."


CCPA tried this with the "Do Not Sell My Personal Information " requirement, but it was about as ignored as GDPR


Can anyone familiar with the topic explain what distinguishes essential from non-essential cookies?

GitHub gives the example of "those used by third-party analytics, tracking, and advertising services", but curious if the law defines some sort of bright line here.


Authentication and authorization cookies seem pretty essential for any website that has accounts. If you block those cookies the website stops working -- they're essential.

If you block ad networks and analytics the site functions just fine -- they're not essential.

Beyond that there's probably some sort of "need to know" test to prevent convoluted fake dependencies.


They are not really, really essential. No cookie is essential. A long, long time ago I worked with a web system that kept session info in a URL parameter, and carried it over all the links. I think it was a C# website, but I'm not sure.


>a URL parameter

I love those systems. Especially when the unwary users share links, accidentally letting other users into the site as them. Or when google indexes it, and in addition to terrible security, the site uses regular GET links to perform site actions, so google deletes the user's content or buys a bunch of stuff as them while walking the links it finds as it indexes in beyond the user's initial account bearing link.

lol. no.


Hey, I'm not saying it's a good idea. I'm only saying it can be done. I would very much prefer cookies.


Yes ASP.NET allows (allowed? Haven’t used it in years) cookieless sessions this way. The problem is it has to rewrite all the relative links on the page to ensure session state is not lost.

The problem is it’s makes urls horribly unwieldy if a user wants to bookmark or paste in links from emails etc etc, or writing JS to interact with links, not to mention the security issues of being able to accidentally share your session.

Possibly, yes, but not at all user friendly.


Those were great. I hung around a forum around 2004 where someone posted a link to jeans he just bought from a smallish online store - the URL contained the PHP session identifier. Thousands of people had instant access to his address + bank information + purchase history, and could place orders for him.


That's nice, surprise jeans! But yeah, I'm not advocating that, I'm only saying it can be done.


Implementing session handling as URL parameters makes no difference from a legal perspective. It will be covered by the law excatly the same as if one used cookies. It's the tracking the law is about, not the implementation of it. Your just picking a worse technical solution for no legal gain.


That's disgusting. And it's like saying roads aren't essential because cars can drive on dirt.


Would this mean that if you shared a URL with someone you would be sharing your session as well?


Yes. Some sites operating like that eventually tried to work around this issue by tying it to the IP, but you can see how that is hopelessly broken anyway.


Maybe it would work with ipv6...


That would break the "remember me" feature for sure, unless you explicitly bookmark the site with the get parameter attached.

It also poses a security / opsec issue if anyone non-technical wants to send a link to a friend / co-worker. You may compromise yourself.

If people share their screen people would be able to hijack the session too.

You won't be able to distinguish device sessions from one another reliably neither. Think of "log out all other devices".

These are what I can think of. There's probably a handful more reasona NOT to do that.


> You won't be able to distinguish device sessions from one another reliably neither. Think of "log out all other devices".

You could, I think. Passing the session ID in the URL is the same as storing it as a cookie. You can invalidate both in the server.

Link sharing is an issue, for sure. You could tie the session id to the IP, but that doesn't work when people share their IP, which is more and more common every day. IP tied session would work better with IPv6, though.


In WAP times there was no such feature as cookies available. I started programming by writing WML pages instead of HTML. Good memories from those times!


The website at my college we used to register for classes and some other stuff used this method. For whatever reason though, the logic was wonky, and the site would give an error if you used the "back" button in the browser, and you'd have to go back to the home page.


Sounds like a security nightmare.


- Security stuff (auth tokens and similar) are generally essential (if only used for that purpose).

- Any form of tracking people is generally non-essential.

What you can and can't do is not based on technical implementation details but practical usage of the information!!

The tricky part if when both overlap, i.e. if you track people but only for assuring a secure operation, i.e. you don't use the tracking information for anything besides their main purpose of assuring secure operation.

A lot (all?) of systems which provide such security specific tracking do not strictly limit their usage, access and collection of information and as such are also used for non-essential purposes and in turn need opt-in.

But then sometimes companies try to abuse it and will do do until taken to court.

For example Facebook argued that people use Facebook with the (main) intend to get customized ads and as such tracking them is essential for Facebooks service. As you can guess this argument is completely ridiculous especially given that they also track users which don't use Facebook, but if you are the size of Facebook you can try to bring that to court and maybe gain a bit more time before you need to comply.


There isn't an obvious bright line, and that's probably intentional.

This is not legal language or legal advice, but the gist of it is "if you don't have it, can your website still do what it claims to do?"

For a site like Github, if you can't use cookies to maintain session state, you'd have trouble implementing login sessions, so that's pretty squarely on the essential side of the fence.

But moving into murkier territory, how about logging the IP addresses you signed in from? If you're using it to detect new login locations or new devices as a security alerting thing, then I think you can make a strong enough claim that this is essential. (Again, not a lawyer, this is not legal advice.)

What if a PM wants to look in these logs for how many unique users show up in each country? That's pretty squarely on the side of analytics, and is probably not essential.

But... muddying the waters more, what about if an engineer wants to query unique users to figure out how many more racks of servers to buy? I have no idea. I'd be asking a lawyer.


I can guarantee that you could throw a rock in your city’s business district and hit a lawyer that is in the process of doing incredible mental acrobatics to wrangle Google Analytics to be an “essential part of the offering”.


I believe it is generally untested in law whether third-party Analytics count as "legitimate interest" (direct consent not required) in EU GDPR, which is why cookie banners talk a lot about "legitimate interest" now.


I work a lot with GDPR and making sites compliant, and some agency's do in fact tell this to their customers. I suspect it's to sell their Services for cheaper.

Luckily where I work we are pretty serious about this stuff. Since one of our main revenue's is Data protection consulting, anything else would be idiotic anyway


There is no direct language about cookies in article 5(3) of the ePrivacy Directive. What we have is Opinion 04/2012 on Cookie Consent Exemption of the Article 29 Working Group of the European Commission about Cookie Consent, which elaborates about the topic:

https://ec.europa.eu/justice/article-29/documentation/opinio...

(The §29 WG is now replaced by the European Data Protection Board, but that seems not to have issued any more current Guidelines or Opinions on that matter. Also: IANAL.)


Yeah here’s what it says about “necessary processing,” which does not require user consent.

Note GDPR never mentions cookies, or cookie banners. It regulates the control and processing of personal information (which can be stored in cookies).

https://gdpr.algolia.com/gdpr-article-6

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


There is no bright line, mostly as far as I can tell it’s session cookies and those you need to set to fulfill your contracts with the user.


Somehow the rest of the internet was sold to the idea of "EU is forcing you to put cookie banners, these are nothing but annoyance" rhetoric. Whoever pulled that off, bravo!

In reality, the idea was to make people aware that they are being tracked across the web and and give them options and somehow everyone pretended that "No tracking, no banners" is not an option.

I am so glad that GitHub is coming forward and point out the elephant in the room: You don't need cookie banners or tracking consent forms if there's nothing to consent.


Meanwhile more and more websites are adding “legitimate interest” controls to ads and analytics, as a way to keep them activated. It’s so absurd from a user perspective, they even have separate controls for normal and legitimate interest ads.

I wouldn’t be surprised if the sales teams at Google, criteo etc told them to do so off the record.

Every time I see the banner I think is it really necessary to visit the website? So I’m also quite happy about this move by GitHub.


I think you mean "you don't need cookie banners if you have your own identifier" which they certainly do and affords them the luxury of this blog post.


That's the idea. You visit GitHub and github knows about it, not Facebook, not your local advertisement agency, not the data brokers. Also, these identifiers are not forged in the fire of Mordor, you can have your identifier too.


And add to that, they have paying customers.


I am pretty sure that they are still tracking you - but Microsoft can easily afford to do tracking in-house...


>We use Usage Information and Device Information to better understand how our Users use GitHub and to improve our Website and Service.

https://docs.github.com/en/free-pro-team@latest/github/site-...


Doing "tracking in-house" does not exempt you from GDPR requirements. The requirement is exactly the same: explicit and freely given consent is required to collect extra private information not specifically necessary to provide the service requested.


In this case, is github uncompliant now? They say they're not doing third-party tracking but the blog post seems to hint that they're doing their own tracking.


That depends on what personal data they're collecting and for what purpose, in the case that a person hasn't explicitly opted-in by giving consent freely. I don't think it's possible for us to figure those details out exhaustively merely by observation from the outside.


Yes, and it's not like the EU is going to send surprise inspections to go dig into Microsoft's code and databases to check whether they are violating this or not?


They don't send surprise inspections to your house to check if you're engaging in criminal activity, either.

My point is that you're moving the goalposts. Law enforcement generally always requires a complaint that justifies an investigation, and people and organisations get away with breaking the law all the time. However that has nothing to do with whether or not GitHub put their website behind a "consent" wall, or whether or not they're doing in-house as opposed to contracted-out analytics.


I'm not moving the goalposts. Aren't you aware that some businesses get regular inspections, which do not require any complaints?


Sure, but it's also likely that Microsoft's lawyers allowed the Github team to do this if they didn't think that Github was still in compliance.


What "private information", though? If GH is putting in a database the order of clicks that you made to navigate around their site, is that "private information"?


If there's an identifier that can be tied to you (like an IP address), then yes?


There is a lot of wiggle room in "provide the service requested"


> There is a lot of wiggle room in "provide the service requested"

There is, but it is so in any law, because laws can't be specified as precisely as computer code, and an attempt to do so would make them so rigid as to be unenforceable, and hence ignored. But it seems that companies aren't even trying to use this wiggle room, just ignoring it or plastering the damned cookie banners, so I think that it's a good thing for future privacy-oriented laws—when given even the most generous possible leeway, businesses would still rather track their users than attempt to colour within the lines.


What do you mean by in house tracking?


Across Microsoft services like Github, Office365, Bing, LinkedIn, Windows...


yes but what does it mean tracking? having an account? keeping a tab of last time you used it?


Some identifier tied to a time and "place" (service)?


To do what exactly?


Learn at what moment your defenses are down so that they can sell you stuff, presumably. Isn't that the general assumption about tracking?

Or sell your data to interested parties. Maybe if you liked certain GitHub repos, you are more likely to vote Democrat or whatever.


I'm not sure that the GDPR really cares what is being done with that information? It cares more about who that information is being shared with, and about your consent.


they are an annoyance because they are redundant, out of band, and pass the burden onto individuals who have no authority.

They are like CA Prop 65 lead warnings: useless spam that everyone ignores.


>"EU is forcing you to put cookie banners, these are nothing but annoyance" rhetoric

I came to the conclusion myself. I personally see no real need for laws like GDPR and see humanity dealing with cookie banners every day and lost ability for websites to be profitable as pure negatives.


I'm an American that's currently in Europe, and I recently downloaded a mobile ad-blocker for the purpose of blocking cookie popups. I was already blocking most tracking at the DNS level, so this was mostly for cosmetic purposes. Blocking consent banners has made browsing the mobile web so much more pleasant.


was this mobile adblocker on android or can you also get it for iOS? am interested.


I’m using 1Blocker on iOS.


I literally proposed this solution in a previous HN thread, discussing the cookie situation. I'm glad a large business such as GH is able to take the _extremely_ painless route of just outright removing them entirely.


They removed cookies, but they don't claim to remove ad ids, they only don't use cookies to store them. Also worth remembering that github is a social network and has no privacy by design, it also builds its own user profile a part of which is public.


Well a large business such as GH also has the resources to build their own in-house tracking solution, which can piggyback off of the first-party auth cookie without requiring any cookie pop-ups.


That was an unexpected nice gesture.

I wonder what they’re using to track user activity instead, probably just a mix of server logs and the other goings on of the backend.


Your user session. It can even be a cookie still, because that session cookie will be required for it to work.


Right, I meant to imply that the user session is used by “backend goings on”, and I understand that that is stored in a cookie still


Shoutout to the extension "I don't care about cookies" that removes all these banners automatically.

[1]: https://www.i-dont-care-about-cookies.eu/

[2]: https://addons.mozilla.org/en-US/firefox/addon/i-dont-care-a...

[3]: https://chrome.google.com/webstore/detail/i-dont-care-about-...


That extension hides, and sometimes accepts cookie consent popups for tracking cookies, it's harmful for your privacy, and should only be installed if you literally don't care about cookies, nor your privacy.


Why would you trust a webpage to not add any cookies just because you told them to? If you want to protect your privacy you should control the cookies yourself, at which point the consent popup becomes pointless.


AFAIK, it doesn't object against (tracking, add, etc.) cookie usage and some pages assume, that when you use the page that you have agreed to tracking and the like. Even though I doubt that it is legal, you might end up being tracked even though you never agreed to it.

I like the idea of the extension and used a for a few weeks, but ultimately decided to remove it again.


Also, at [1] there's a filter list you can use instead of installing the extension.


If they've gotten rid of 3rd party analytics, does this mean they're just using their own? Presumably session cookies count as "required", and could be used to track your actions at least on github.com.


Sure, but considering GitHub doesn't have advertising[1], and they're not sending it to a third party (like Google, who does), it's very hard to imagine any use for first party "tracking" that might harm you.

Presumably the most they're using this for is recommending potentially interesting repos to you.

[1] Potential concern would be if "Microsoft" was considered "their own", since Bing does have an ad network. But my guess is between still having separate accounts and being treated as separate companies, that is not the case here... yet.


Remember that they have LinkedIn as well, and quite possibly could put together a fascinating view of software job profiles, candidates, and repo language/activity to gain value entirely within their own organization. Something like LinkedIn recruitment recommendations improved with GitHub contribution activity might be a fascinating recruitment product: ads are not the only way to gain value.


Yeah, I think my comment is still applicable as is: The risk here is entirely dependent on whether or not "first party" means "GitHub" or means "Microsoft and it's various properties".

My guess is that, at least, for now, it refers to GitHub, as you agree to GitHub's Terms of Service, which doesn't actually mention Microsoft as a party.


I get ads on GH homepage for open positions. They seem targeted to me or maybe I just notice the relevant ones.


Wait, Google isn't sharing your analytics data with any third parties.


Google usually is the third party, when people are talking about analytics. GitHub removed third party analytics, like Google.

And while Google keeps it's data horde on you to itself, it definitely sells access to you in numerous harmful ways.


What matters is the purposes that the cookies are used for, not how many there are or which service set it.

A session cookie that is also used for tracking would qualify as both a functional and a tracking cookie, and thus generally be illegal (since you can't consent to the tracking if it's under the threat of being unable to use the service).


They appear to be using a self-hosted analytics solution. Every page makes a request to collector.githubapp.com.


I presume this is indeed what they're doing given the wording of the post:

"(And of course GitHub still does not use any cookies to display ads, or track you across other sites.)"

That exactly leaves out "track you on our own site". But honestly, I have absolutely zero issue with them tracking my behavior on their own site. I know how valuable it is to be able to learn/see what users are doing, and they should absolutely be able to do that.


Tracking individual behaviour on their own site without notification is still illegal under the GDPR, so no, they should not absolutely be able to do that.


The GDPR isn't about "3rd party analytics". It's about collection of personal data as qualified by the purpose of that collection, regardless of who collects it.


Great! Even before, rejecting tracking on GitHub was just one click away, same number of clicks as accepting it.

I also like the fact that all users get equal privacy rights!


Which is actually mandated by GDPR, but that doesn’t seem to end the endless click required to block cookies on certain websites.


It's definitely not mandated by GDPR. Look how annoying Facebook, Google and countless news sites' cookie banners are. I don't know GDPR, but I'm sure their lawyers do.


Great move! Now that some big sites like Github curb their use of invasive third-party analytics I hope more will follow suit. For Github it's probably easy to do this as they can extract a lot of insights from the actions their users perform on the site that are visible in their backend, so they probably don't need event-based analytics so much.


See, it is not all that difficult. Hopefully, this will be the first of many big websites to ditch the excess tracking.


Visiting https://github.com on a clean browser profile results in these cookies being set:

    _gh_sess "2RS32uKu1a6pH8js1RreBWXcr4EdQMHXr/6PdyOeH7tgLbeIdxTaYni5fcFWff4wXTvqv8+lSeJ2W0RWHu0hgN4toFeR8B22x/HGuIx6gdIi4dvd2xQ4gtnuvhBVLTwnYjNGNcnT7ODFlerX+Li9HL33KXUvP/LDMlXTxCP+sJycF1x83Wqh8r2JFTGpcKgaQ22maisp6gfNVJI6MLnFQrKu/LxnuuMfPcVHzCEBjxDejJ/19ucDUVGnZ5LwP4JGTp1+RumiuA8MPxUTaktbLg==--TmIIVNRcipKqc2yt--6HedWH9JiNkUgNKKyGf30A=="
    _octo "GH1.1.1254465225.1608314039"
    logged_in "no"
The article is written in a way that we assume that they're not using any cookies unless necessary, but it seems that the actual implication is that they've re-categorised these cookies as "essential".


Incredible. Take note, everyone - it is possible.


I started using Cookie Auto Delete extension with Firefox. Now I just accept all and the extension takes care of removing the cookies as soon as I close the tab. Logging in again and again on the regular sites is not even an annoyance a with a password manager.


What I would wish is for the next iteration of the law to mandate a standard way of opting in. From looking at the real world, there are several categories for cookies. Technically, tracking, okay I can only think of two. A standard opt-in procedure could client side set a cookie with a certain level of consent for each page at the browser level. A default setting for this can then be set globally in the browser. A site specific setting could then be overwritten by the server or the browser UI.

You could then nicely ask your users to agree to tracking in the places where there were the privacy intrusion banners of the shady tracking networks.


I wish there was a browser option "I don't care about being tracked" and that would get rid of all cookie banners (and, more often than not, full page popups).

This EU law comes from a good idea, but it's terribly implemented - it implies that everybody out there is a lawyer and can make sense and agree on multiple pages of confusing legalese, and this every time they open a new website. This is so absurd, and the result is that we're trained to click "ok" on everything and we're tracked all the same. Back where we've started but with more popups.


This may not be exactly what you asked for, but there is https://www.i-dont-care-about-cookies.eu/

Also, it isn't the law that has been terribly implemented, although that could be argued as well, but rather the fault lies with the companies that do not want to abide by the law.

There are a few easy ways to check if a website is breaking the law:

- Is it as easy to say "no" to the consent as it is to say "yes"? If not, it's not legal, as the consent is not freely given.

- Is the website setting tracking cookies, or tracking you in some other way, before you have made your choice about the consent? If it is, it's not legal, as the consent must be opt-in not opt-out.

- Is it confusing? Then it's probably not legal, as the consent must be informed.

- Is there a button to "accept all" with no clear list of what you're accepting? Then it's not legal, as the consent must be specific and unambiguous.

It's not rocket science, anyone can read it up for example here https://gdpr-info.eu/issues/consent/


Don't you think, that the implementation of the opt out process is what is actually flawed? The law doesn't require you to throw this popup at your users. You can just set the cookies that are techincally required and explain their function in you statement about data usage. If you want to track people, you can then ask for their consent in some nice, locally served banners, where normally you privacy intruding ad networks would put their third party javascript.


Or blanket non-consent of course.

I too find it quite annoying. The other issue is that sometimes the banners do not properly work with various aids for disability and keyboard-operated browsers.


There is the "Do not track" option, but as I understand it's ignored by most websites. That's why I wouldn't mind a "Do what ever you want" option, and in exchange popups are removed.

That's how it was before and I'm not certain that it caused that much harm. Users can always block ads and third-party cookies anyway if they wish to do so.


If the E.U. can require such popups, it can certainly required that this “do not track” options be honored.


The EU law does not require these multiple pages of legalese. Not even a little bit.

In fact it says "it shall be as easy to withdraw as to give consent".

So you shouldn't attribute complexity to the EU law, when the law actually insists on simplicity.

It's a myth that the GDPR requires complex forms, or even just banners. One that website operators (mainly 3rd party advertisers and trackers who provide the banners/popups to sites) would like you to believe.

A genuine GDPR-compliant banner/popup is much simpler.

In fact you can make a GDPR-compliant site without any banner/popup/form at all, while still using cookies, logins, shopping carts and analytics etc. You just need to do it in a privacy-respecting way, which isn't hard.

The complexity is website operators attempt to half-comply and half-violate the law, frustrate and arm-twist users into something most people would not agree to if it was easy to decline. The obnoxious complexity is deliberate, to annoy and frustrate you so that you give in to the "easy" option they very much want you to "choose".


Seems like a good way to differentiate themselves from GitLab: while GitLab is open source whereas GitHub likely will never be, GitLab.com contains many third-party trackers and GitHub now none.


Damnit, they found my loop-hole! https://ma.ttias.be/loophole-cookie-notices/


> EU law requires you to use cookie banners if your website contains cookies that are not required for it to work.

No it doesn't. EU Law requires you to not harvest data at will, and you either must have a basic functional requirement (i.e. 'remember my login'), or you must ask the user if you can have their data to profile them so the advertisements can make a few percent more money (yes, the whole profiling thing doesn't even add that much to the bottom-line!).


This is wrong. EU law absolutely does require cookie banners if a website uses non-essential cookies, even if those cookies are not used to harvest data.


The cookie law predates GDPR.


For other sites I recommend the extension "I don't care about cookies". It removes most cookie warnings, makes browsing the web way less bothersome.

You can also add cookie warning filters to uBlock Origin, but those doesn't autoclick when CSS filters aren't sufficient.

https://addons.mozilla.org/addon/i-dont-care-about-cookies/


It would be really cool to get an on-GitHub analytics for GitHub pages. I’d like to get view counts but don’t want to embed an external tracker in my blog.


ePrivacy document WP224 ("Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting") specifically discusses the use of fingerprinting and IP addresses for first-party analytics and states:

"However, the Opinion also stated that currently there is no exemption to consent for cookies that are strictly limited to first party anonymised and aggregated statistical purposes. Therefore, first-party website analytics through device fingerprinting do not fall under the exemption defined in CRITERION A or B and consent of the user is required."

This seems quite clear that consent is required for any form of analytics where you can identify individual users.

Another commenter here mentioned that GitHub is only tracking individuals for 24 hours before the fingerprint changes. I would think that would probably qualify as being in the spirit of the ePrivacy directive, if not the letter of it.

Would be great if someone from GitHub could comment on the above? How are you handling this - do you maybe get consent as part of the terms you agree to when you signup? (which would mean not tracking anonymous users).


I find it staggering how misunderstood GDPR seems to be at large.

First and foremost, it's not about cookies. EU laws required you to inform visitors about "cookies" and have them acknowledge them long before GDPR passed into law.

Second, it's not about third parties or required cookies vs. marketing cookies.

What the law actually states is that you may not, in any form, make individuals using your service identifiable or track them without prior informed and active consent by the visitor, and you also may not make such consent mandatory for accessing your publications content. plain and simple.

all the "cookie banners" out there are ONE form of solving this problem but are in no way mandated by law. If you find another way of solving this issue, all the better.

But the way these banners are designed and implemented at large are geared towards soliciting consent by means of obfuscating actual selection (think: bright "accept all" buttons with tiny "save settings" links) and by making it hard and tedious to actually select and submit your preferences (think: giant lists of all trackers with opt-out for legitimate interest and optin for consent side by side). These are in clear violation of what the law states imho and are largely in use because there is still no juridical precedent that clarifies what goes and what doesn't.

what we are experiencing is a clash of ethical mandate and economical interest. GDPR is aimed at protecting you, the user, from beeing identified and tracked along your wen history, be it by cookies or fingerprint or whatever.

dropping functional cookies for logged in users is perfectly fine though, as registration itself is likely a process where users can be informed of such personal identification and is an active decision by the user.

saying "the site needs it to function" and tracking users first party only is NOT a way around GDPR, as much as this narrative gets retold.

in short: it's not about cookies and third parties. The law is purposefully formulated in a way that isn't scoped on technicalities and seeks to prevent such "workarounds".

I would love to see more details disclosed by GitHub about HOW exactly they implemented this, as i am certain they have enough professional legal councel to have digged deep into this question.


I'm sure people will praise this, but how do you run a modern website with no analytics? How do you know if people use the features you build?


Good question! We just shipped GitHub Discussions to millions of developers and we can learn whether people use and like the product by looking at whether people are creating discussions, customizing categories, and answering questions.

The argument that you need to follow users around every step of the way to build great products is simply untrue.


I’m sure that GitHub certainly has analytics; they just don’t use third-party analytics. This means that either they’ve built their own tool or are self hosting someone else’s. I imagine that GitHub has some amount of internal tooling here out of necessity, e.g for metrics about how people use GitHub over SSH.


However they cannot use data that allows to identify an user (such as an IP address) in their analytics, unless the user has granted them explicit consent to use that data for the purpose of analytics.

So my understanding is that there is a big difference between this and "they just don't use third-party analytics".

It would be super nice if they clarified this in the blog post. Maybe by adding something like "We do not use personal data in our analytics".


Or they just send the data to the 3rd parties on the back-end.


By looking at http access logs, like since the beginning of times? Note if by modern sites you mean SPAs, you could still make HTTP pings for those features; might not make much sense to use SPAs for content-driven sites though.


You could still self-host an analytics solution. Just don't share that data with 3rd parties.


It doesn’t mean no analytics, it’s about including third-party analytics scripts. You can still do analytics.


You can use analytics programs without needing cookies. I use Fathom (usefathom.com) and they are compliant.


But is it just about cookies though? If they log images downloads or anything else that is essentially what tracking cookie would do and often this type of tracking is used instead of cookies. Just because they don't process this data for analytics (or do they?) it doesn't mean this automatically respects privacy, as there is always a chance this data could leak. Do they store logs?


Really good news! For others websites, I've developped the browser addon Ninja Cookie that remove cookie banners by rejecting the use of non-essential cookies. (I've introduce Hacker News community few weeks ago to this project) Free and good for your privacy :) Have a look guys :) https://ninja-cookie.com


I just block cookie banners with a combination of custom JS/CSS and uBlock Origin. I hate those abominations.

Ironically, these sites need to use additional cookies to remember that you clicked away the banner, and part of the problem is I also blanket block all cookies on sites that I don't need to log into, so they don't get to "remember" anything.


I know this will probably get buried, but from what I read and understand you still need to notify your users that you are using essential cookies and provide a list of what cookies are essential, why they are essential and what's the TTL? You do not need consent or button click, but there has to be a notification?


No. That does seem to be a common myth though. I would give you a citation, but I cannot prove a negative.


It seems the huge and annoying "Why don't you join Github" banner is gone now, too. They must have eliminated the persistent cookie that clicking "Dismiss" presumably set. That banner was very frustrating for me, as I clear cookies regularly from the browser profile I use for random surfing.


All aboaaaard!

We recently removed Google Analytics and switched to apache server logs. It was the only 3rd party cookie our site was using, and the apache logs are far more transparent. (No one understands or trusts the analytics from google, and no one has the time, they only want to see certain bumps for certain pages).


They still have tracking javascript though:

uBlock Origin has prevented the following page from loading:

https://stats.wp.com/e-202051.js

Because of the following filter:

||stats.wp.com^

Found in: Peter Lowe’s Ad and tracking server list • MVPS HOSTS • Dan Pollock’s hosts file • EasyPrivacy


That is on github.blog, not on github.com. I was really surprised for a while thinking they use wordpress on github.com


Oh sorry yes you are right.

I think if they want to claim that they did this because they care about privacy it might be a little hypocritical to have trackers on the blog post where they're bragging about it.

It also looks like there are still several items on github.com that are beacons / stats tracking (and as such are blocked by privacy / ad blocking tools such as uBlock Origin):

https://api.github.com/_private/browser/stats (beacon)

https://collector.githubapp.com


The collector.githubapp.com is pretty transparent. It includes basic information like the current page, user agent, referrer, and time zone. All of this could be done via server logs, so it's not like it's that creepy like fingerprinting.


> At GitHub, we want to protect developer privacy, and we find cookie banners quite irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really.

Now if that realization just would dawn on other websites as well...


If you wanna make that change you've gotta be running the marketing department.


Much of the statements about cookie requirements in this thread are wrong.

The rule is simple: If a website uses non-essential cookies, it must inform users and, in most EU jursidctions, collect consent prior to placing a cookie on the user's machine.

The rationale behind the rule is that companies should not store company information on end-user devices without the user's consent. The rule applies to all non-essential cookies regardless of whether the cookies collect personal data or are used for tracking. The rule does not cover cookieless server-side tracking of users. Sites do not violate the law when they track users without consent using server-side tools. Sites do violate the law even without tracking users if the site does not collect consent for non-essential cookies.

GDPR enhanced the cookie rules by applying GDPR consent requirements to all cookies that involve personal information. Many sites ignored the old cookie rule because EU law did not give data protection authorities much enforcement power. GDPR increased the power of the DPAs to issue fines of up to 4% of annual turnover. Sites previously ignoring the rules put out cookie banners once GDPR came into effect.

edit: To be clear, Github isn't saying that it stopped tracking users. It's saying that it doesn't do cookie-based tracking and therefore it does not need a banner.


In fact, a trade-off has to happen. A cookie - or in terms of the GDPR, storing data on the end device - does not necessarily have to be technically required for it to be stored without consensus. A shopping cart, for example, can technically be coded as a GET parameter in the URL. However, since a cookie is the technically more sensible way to persist the shopping cart, a cookie can be used. This only needs to be explained - ideally in simple language - in the data processing statement.


Great news, not only because of the improved experience in browsing GitHub, but also because finally a big tech player as acknowledged that it is indeed possible not to have a cookie banner, simply by not processing non-essential personal data.

It would be awesome if this started a trend.


I use this bookmarklet to quickly get rid of cookie banners and other banners / stickies :

https://alisdair.mcdiarmid.org/kill-sticky-headers/


One of my favorite things about GitHub making this announcement is that GitHub's corporate overlord Microsoft requires us, as a vendor, to put a cookie banner on our websites even though for a while we literally had no cookies at all.


> so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really

Many people told you so. Remove third party scripts and cookies and suddenly things become easy.


Nice. I wonder if one could build an analysis program to determine if you actually need the banner or not, with some reasonable accuracy. I would love to see those cut down.


Of all websites using cookie banners, how many require Javascript to be enabled for the cookie banner to display. How many require CSS for the cookie banner to display.


The EU cookie ban should've just been a ban on third-party cookies, then we wouldn't be in this mess. Props on GitHub for following the rules right!


Are cookies banned?


No.


The problem with cookie banners is not their intrusive ubiquity: it's that they keep going against the spirit of the law, which was to make any "non essential" (whatever that means) data collection opt-in.

If that were functioning, whereby the two buttons presented to you were a "Continue without cookies" and "I want to opt in", the annoyance would be worth it. But as it stands, most sites just _pretend_ their tracking is opt-in through an "I agree" button, with "I don't agree" generally leading to a mess of check boxes in front of partners the general public has no idea about.

I do hope regulators end up cracking on this...


I agree, though I prefer to frame this a little differently. If websites make me click on "I agree" by deliberately making it difficult for me to get through to the actual page without jumping through an extra bunch of hoops, then the act of clicking "I agree" does not constitute freely given consent, and therefore they are collecting personal data illegally.

I don't understand why the regulators are ignoring this. It's destroying the entire principle of the regulation.


It would indeed be glorious to see regulators pick 10 of the largest sites with the “Agree and continue” vs “let me uncheck 100 checkboxes” consent, and simply fine them a sum that is large enough to make all sites on the planet decide that it’s better to comply immediately than be in the next round of fines.

Right now I think a lot of sites are thinking “If we don’t use these tracking ads we aren’t going to be able to keep the lights on, so it’s better to use that pretend compliance banner everyone else is using, than to have to close”. And that’s the problem. The regulation should make bankruptcy or a massive risky change of business Model look attractive and low risk compared to “agree and continue”. Otherwise why would shady sites not try to do exactly what they are doing.

Tracking ads are unfair competition. It’s like a business not paying their taxes. The reason you can’t start a site paid by non-tracking ads, is that the competitor uses tracking ads.

When tracking ads aren’t an option, the money in “good” advertising goes up. (Or, all the money is concentrated to Apple and Facebook, the bad scenario).


What I don't get is if the intent of the law was truly to make non-essential data collection "opt-in"... why even bother with all of this instead of just banning it properly? Was there really a concern from people that they wouldn't be able to opt into being tracked by 3rd parties they aren't engaged with?


> "non essential" (whatever that means)

I am quite interested at finding out whatever exactly this means.

(It was pretty clear to me that the GDPR would eventually rid us of the most flagrant of the abuses like the ones that you mention, via the stick of fines.)


Sounds like that terrible cookie law is actually doing some good. Maybe other sites could follow suit and just rid of the the banner and offending cookies.


GitHub, please remove server side / backend tracking as well, I did not consent to be tracked by your backend systems.


Cookies aren't necessary because you'll have to login to get much of the functionality out of Github anyway.


So, they do analytics looking only at the database data?

I wonder if they built the analytics system themselves or are using a COTS.


You can still do analytics client side without the use of cookies. You just lack the view of a user and a session sice the cookie holds the primary key used to tie events into a session. You are basically just dispatching page views and events. Your reports will not look great but it's possible and probably will be a nice complement to a server side analytics solution.


Finally, I've been saying this for years, glad to hear that people are finally acting on this. Great news.


I assume that means a lower ad revenue and lower quality analytics. I wager they did a study and found the benefits of removing the dialogs outweigh the costs.

Cookie dialogs are indeed horrible and out of control. Good on them for making the jump. But I doubt many others can justify the cost associated with the change. We need a better solution that gives users choice but reduce the friction caused by annoying prompts.


Github doesn't have any ads to begin with as far as I know? So there is no ad revenue lost.


Teams has so many bugs and crashes, I'm flabbergasted how Microsoft can deliver something like that.

Especially given that they have shown that they are capable of delivering a good experience based on the Electron platform with VSCode.

My only explanation would be that it was cobbled together by interns, never meant for public release, then some project manager discovered it and said "Ship it!".


I think your comparison to VSCode is very useful, but with regards to crashing - I’ve not had Teams crash even once after a year of heavy use.

VSCode was made with the explicit intent of attracting software developers, who not always but generally get to use whatever editor they want. If VSCode was not snappy and responsive, it would never have been a viable product for its target market.

Chat is the other way around. Slack is on my computer and there’s nothing stopping me from using it, but every org I’ve been at has mandated official communication channels, and for me it’s teams. Chat platform decisions are not made by the same metrics that software developers use for editors. I’m not excusing it, but I don’t see how it could work another way. I would assume teams project managers are incentivized to deliver a list of features and integrations that are targeted squarely at the desires of mid to senior level enterprise IT execs.


Teams for me is an almost unusable, frustrating, pile of js. It also seems very polarising -- most other colleagues don't have the crashes and issues I do, but some people have similar experiences. I'm genuinely convinced it just hates a small proportion of all SSOs. I literally can't make any calls on the Mac app at the moment, and haven't been able to since August.


Are you using it on OS X? Runs fine on Windows for me and haven't heard any complaints from any of my coworkers. Everyone says it's better than WebEx.


Runs fine on OSX for me as well. No issues, pretty clear audio. Happy in general.


This has not been my experience at all. It is quirky, but very usable none the less.


Is it true that you only need the banner for non essential cookies? I thought you need one regardless.


I think the Snowden leaks have showed that privacy is dead and has been for sometime. I’m not sure why you all seem to care? The only choice is do you want the government to have a monopoly over data or have private corporations profit while providing services. Genuinely curious why people are against anonymized tracking.


I have zero interest in adding analytics to any site or application I might create in the future and, of course, I also don't want to bother future users with what would be pointless pop-ups. I thought that doing what github did would be enough, but now I'm not so sure because of one thing and some comments I saw here that might be related to that.

I would still like to improve any application I might create depending on how it's being used (to know what features to improve, which ones could potentially be removed or changed, etcetera). Keeping logs of this kind of usage would still go against the GDPR? I thought that it wouldn't as long as it was aggregated data without using any of the users' personal information. But some comments here have led me to believe that it would go against the GDPR regardless because it would still mean separating unique users.

Hoping someone more familiar with the law sees this comment. I mean, I can think of multiple ways to aggregate that data, even with unique users, without using personally identifying information, but I'm not sure anymore if that's enough.


Or they could use localStorage instead, which is a superior storage mechanism.


localStorage and cookies are the same in terms of GDPR. It encompasses all local storage mechanisms such as IndexedDB, cookies, localStorage, sessionStorage, etc.

(source: I read the directive way back when it came out, and also skimmed large sectoins of GDPR)

Other sources: https://softwareengineering.stackexchange.com/questions/2905... and https://law.stackexchange.com/questions/30739/do-the-gdpr-an...


I’m not a lawyer, but I’d be shocked if you could get around gdpr by using a different api. If gdpr was actually limited to `document.cookie` and `Set-Cookie` it’d be a laughable attempt to protect users.


This should be the standard.


And, in a way, this is the standard by the fact that they are not required to show the banner if no non-essential cookies are being used :)


Right, what I meant is that only using essential cookies should be the default web development practice. Instead the default these days seems to be websites that are positively larded with third-party scripts, analytics tools, and other crap.


It is standard development practice. But sometimes development is done in service of a business plan, in which case those requirements would apply.


Most web development is done to generate income, so that sounds wholly appropriate


So instead they’re doing 1st party taking, which I think is not allowed.


Huh, so the EU cookie-law wasn't completely useless after all.


Have GitHub credentials on your machine and interacting with the service is the most valuable data for GitHub. They probably have something in the terms that they can use this data.

So I see this more like a warning, than a positive thing.


I guess this means that M$ is no longer a valid criticism.


Sorry, but why is GitHub’s blog on HN 3 times today?


It was really that easy. Kudos. Others should follow


Thank you, EU for setting _any_ kind of bar! <3


Hope more company decide to go full cookieless!


Since many comments are already a mix-up of "Cookie Law" and "GDPR" (2 separate EU directives) related to Google Analytics, I'll also throw in this bit:

Google Analytics offers an `anonymizeIp` setting [0] to tell it to not store IP addresses of your users. This might be a good default in light of GDPR.

[0] https://developers.google.com/analytics/devguides/collection...


Unless this is accompanied by actual technical detail, it sounds like they just re-labelled all cookies as "essential" and called it a day.


This is great!


So how does Github track usage and site traffic? That seems non-essential to me and not something you could completely manage server-side.


Great work!

Thanks, github, for setting the example.


How do you do site analytics?


The same without tracking users with personally identifiable information. You know how many people clicked on which button, but you don't know that the user 05475524789 who clicked on the button lives in South Europe, has HIV, and is interested in video games and vacuum cleaners.


Your webservers provide all the information you need via a logging mechanism.


Very nice!!! Thanks Github!


Website is down rofl


cries in git


This is awesome!


I understand the need for GDPR, but its consequence of obtrusive cookie consent banners is easily one of the worst things to happen to the web in recent memory.


That's like blaming the flashlight for revealing rats under the kitchen sink


I'm not blaming the popups. I'm lamenting the fact that every damn site opens with a pop-up now. They are the negative consequence of an otherwise well-meaning bill.

As good as GDPR was for privacy, it's equally bad for UX.


The bill is well meaning precisely because it exposes a systemic problem not just with UX but with a ton of other aspects of the web. It's a bit like having your kitchen smeared in rat shit. There is a moment of annoyance when you realize that, but it's the first step towards being able to clean it up. It's not so much negative consequences as a problem that was there to begin with whether we noticed it or not. It's subjectively negative in the moment, but to ignore it would have been far more of a problem.


Cookie banners are not a result of the GDPR.

They're a consequence of the ePrivacy directive from 2002.

The reason why they're more prevalent now is because GDPR 1) made people aware of data protection issues; and 2) made people more scared of fines.


..so what's the real reason?


We think cookie banners are horrible and couldn't design one that isn't disrespectful to you all – developers. Also, privacy is good?

Sometimes there is no conspiracy theory. :)


They don't need a real reason, because being known to respect privacy coincides with their incentives


Wait, GDPR only applies to third party cookies? Surely companies can just do the same tracking from their own domain.


I seriously don't understand the cookie hooplah. You know that they can still send most of the same information off to 3rd party services on the back end?


I find it annoying that 3rd party analytics gets lumped in with ad tracking. Analytics is incredibly useful for improving products, it lets you see where users are having a hard time and it lets you do experiments and measure the results. It's beneficial to both the user and the company, it's a win-win.


Why are there so many people on this website willing to bend over backwards for their employers shoving cookies down our throats? Is it because they pay so much money that you don't care what happens to others as long as you get yours?


Title should be "Github admits abusing users with non-essential cookies".


Is there a Chrome or Firefox add-on to completely strip the cringe worthy emojis?


the beautiful irony of having "share on Facebook link" on this page


Prior to the GDPR making this law, Silktide, the creator of a popular cookie banner software, got fed up, removed the banners and asked the ICO to sue them.

The ICO responded. They said that they accomplished the goal of bringing awareness to cookies and it’s usage.

https://nocookielaw.com/


The GDPR did not introduce the requirement to inform users of cookies.

That was the ePrivacy Directive. From 2002.


Have they found some alternative to cookies?


Cookie is a technical solution. The law isn't about cookies but about privacy.

The alternative to asking permission to do intrusive things is to avoid doing intrusive things.


Finally someone who knows this! Even (some) "SEO advice" blogs have suggested to just use local storage instead of cookies.

Just no.

Both the e-privacy directive and the GDPR are very broad in their articulation and never mention specific technique's, technologies or anything like that. A good example is gdpr article 32.

Fun fact: the e privacy directive (which defines the cookie rules) isn't actually passed yet and technically you don't need cookie banners how they are now. Purely informational banners would be enough, but the directive already _should_ have passed but was delayed, and since gdpr spooked everyone, everything and everyone is using cookie banners now anyway


>Fun fact: the e privacy directive (which defines the cookie rules) isn't actually passed yet and technically you don't need cookie banners how they are now. Purely informational banners would be enough, but the directive already _should_ have passed but was delayed, and since gdpr spooked everyone, everything and everyone is using cookie banners now anyway

The ePrivacy Directive passed in 2002. It was amended in 2009 to include the cookie rule. The ePrivacy Regulation which would codify cookie requirements as an EU-wide regulation has not passed yet.


My bad. Thanks!


You're confusing the upcoming ePrivacy regulation with the existing ePrivacy directive - one that's been in force for 18 years.

Just like people thought that the data protection was a new concept when the GDPR was created, ignoring the fact that the Data Protection Directive had been around for decades.


My bad. Thanks!


No, they just don't use any non-essential cookies.


Logging into Github lands me 10 cookies (5 of which have a 365 day expiry), and a row in local storage - are these all 'essential'?


Nat's right: this IS a no brainer. SourceHut hasn't had any non-essential cookies since day one. If you're reading this, Nat - how about removing third-party resources entirely from your pages next?


Why, and which third-party resources are you referring to? Looking at uBlock Origin in a GitHub PR page now, I see the following domains:

- github.com

- githubusercontent.com, DNS pointing at github.map.fastly.net

- githubapp.com

- githubassets.com

All these are GitHub-owned, so from a privacy / customer relationship standpoint it looks fine (except github.map.fastly.net , which is probably for CDN purposes), isn't it? I mean: there is zero googleanalytics / zendesk / tracking saas nonsense here. Or are you making this point from a performance standpoint?

By the way, I haven't used SourceHut yet, but thanks a lot for your opensource work.


github.blog loads third-party content from Google and Wordpress. GitHub proper also has first-party analytics scripts, which disregards Do-Not-Track and shouldn't be there at all.


Here's a cookie set in my browser from github in a fresh browser: Cookie:

_gh_sess=eAAHHEQEjZlQKwq8kaSMpTeHC7tyMGwhVexbpZMVfDbjWCf764z4UMG7S%2FeLZpE0ML5y8%2FnmSEd2ZhiDLBHlZyA08Dj8cGob%2BGXSbGSjztMyc5pdd8uxj8qgxc78SHYw01E6pnOnWHRo7XoeTjKje%2FktOx5wObpjZj8JhfOnngdIlhfxSc1EctIth6RDFIsr2HPw9pbDczMfDwwKuswMrkMIt1JEOglF2L%2BxAdscMjeuXu2zFei58AR%2FwRQ%2FGgY3RbQigWt2w%2BKHDIY7a6pISw%3D%3D--H9M6LNV7YPDc1Dvm--vbgFN9CpCkCxTdfhdlvJkg%3D%3D; _octo=GH1.1.770191202.1608243985; logged_in=no; tz=America%2FLos_Angeles

This could easily be used for tracking on the backend... It would be better to not store a large opaque string.


How is that opaque string any different than any shorter, random string that uniquely identifies the user such as "da39a3ee5e6b4b0d3255bfef95601890afd80709"? They can store whatever data they want in the session store in the backend.


They could just store certain variables explicitly like they do for these ones: logged_in=no; tz=America%2FLos_Angeles

It could get rather big of course. They could not store sessions on the backend for anonymous users.


I really don't care about cookies when visiting any website, I have a residential IP address tracking me using this is pretty much equivalent to having a cookie, yet I'm forced to accept a cookie which has near zero effect on my privacy all the while not being under the jurisdiction of EU laws regardless.

This is part of the web, when creating legislation that attempts to block/censor or circumvent technology that is already widely used it's in the highest degree repressive and when there are good intentions behind those laws it's just plain dumb.

I wonder how better EU tax payer money would have been used if they were spent on advocating a change to the browser vendors/W3C instead of on law makers exerting their power way beyond their rein.

What is the best Chrome ext to auto accept cookies?


No EU lawmaker has ever said GDPR will be enforced worldwide. It's Github's and other sites' own choice to enforce it worldwide. They could also build two seperate websites.

The fact that this laws' reach is almost global is something called the Brussels Effect: https://en.wikipedia.org/wiki/Brussels_effect

But there is also the other way: simply not show a website in Europe at all. I see this sometimes when I click a link: https://imgur.com/a/A5S4drS


> No EU lawmaker has ever said GDPR will be enforced worldwide

It literally takes 3 seconds to analyze the game theoretical effect of such a law to recognize its reach is well beyond Europe and therefore also clearly understood it to be such when passed.


Curiously, the EU cares more about the privacy of EU residents than it does annoying people who live elsewhere. Additionally, it "literally takes 3 seconds" to realize that the solution is to remove tracking cookies or block people from the EU if you don't want their business.


I think you're missing the point, I don't have that choice as the user of websites. When I'm googling for an answer I cannot choose which website I visit based on the sophistication of their cookie banner before I visit it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: