Hacker News new | past | comments | ask | show | jobs | submit login
Removing cookie consent requests from Firefox iOS (rchaves.app)
52 points by rchaves on Feb 17, 2022 | hide | past | favorite | 53 comments



> In europe, all websites require you to accept cookies

It is always worth pointing out that the complex dark-pattern filled forms that many sites use are there choice and not impressed by the relevant legislation.

They could just make it all opt in/out with a single click, but they know that without the trickery very few users will do opt in to being stalked so instead they try make it as difficult as possible in the hope that you agree to everything either accidentally or just because you are such of it and want the form to go away. I just back away from sites like that and in particularly egregious cases I've blocked them at the network level with a DNS blacklist: the information I'm looking for has always also been available somewhere else less irritating.


I want to reject all of them, at a protocol level, and never see another one again. That this wasn't written into the "Cookie Law" is proof to me that GDPR and Schrems II are largely written by people who don't understand the technical ramifications of pushing legislation like this through.


"Do not track" is exactly the feature you're talking about and already exists in all common browsers.

What it's missing is a reason for websites to comply, which is what a law could enforce.


But it didn't, again begging the wisdom of the "Cookie Law" authors.


How do you reject server-side tracking based on IP and other unique bits at the protocol level?


Use vpns and software that only communicates the minimum necessary information required for a transaction.

Browsers don't have to provide uniquely identifiable information. Surveillance was a voluntary choice implemented by developers, not a necessary evil.


The dark patterns should be a violation of the spirit of the law.


They literally are. If a consent form has an “allow all” button but no “reject all”, as many do, then it is not compliant. Likewise for “legitimate interest” (that one really gets my hackles up: it basically says “we see your preference, what would you think if we didn't give a crap?”).

There have been some fines related to this sort of thing, and over time some of the dark patterns are getting a little less common, but enforcement thus far has not been sufficient to make the less dark variants the norm.


They are. Enforcement is on the way, just slow. Belgium just charged the IAB Europe group a big fine.


The dark pattern is that the government can order people what to put on their Web site.


They can order people what not to put on their web site. Unless they put in a notice. Just like in the US, where if you advertise sports betting, you have to point at the hotlines.


It's kind of terrible that you can use extensions XOR your own browser on iOS. One of the many things that drove me back to Android after a good three years using an iPhone.


I have an iPhone for testing stuff for work, and the lack of addons for Firefox on iOS would be a dealbreaker for me if I was going to use it as my daily driver.


Could someone build a large list of such cookies or local storage objects, that I can simply import into my browser and it will remember that I already clicked the consent button? It should be a standard feature of adblockers by now, it has gotten completely out of hand. A billion people losing 10 billion seconds of productivity per day, a handful of lifetimes wasted.


> I don’t know why decades later after this law came into play, nobody at Mozilla or Chrome teams thought of pushing that as a web standard, it just seems so obvious to me: if it’s something every website has to build it over and over again, let’s make it a standard. This way the browser itself could handle it, and so much better

They did. There was the do-not-track header. Of course nobody used it. Sites don't want to make it so you can automatically opt out of cookies. The only way they'll use some standard system that allows that is if the law forces them to.

I did vaguely hear that that may happen. Presumably the bureaucrats that wrote that bit of the GDPR (apparently without consulting anyone who knew anything about the web) do use the web and they must have noticed how annoying it is.


> Presumably the bureaucrats that wrote that bit of the GDPR (apparently without consulting anyone who knew anything about the web) do use the web and they must have noticed how annoying it is.

The GDPR mandates that non-functionally-essential tracking (regardless of whether it’s done via cookies or other means) should be strictly opt-in and the consent process shouldn’t annoy or trick the users into opting in. Pre-ticked checkboxes or making the opt-in button more prominent than the decline button aren’t allowed.

The problem is that up until now enforcement has been non-existent. Thankfully this seems to be changing - the Internet Advertising Bureau’s “consent” framework has recently been ruled non-compliant so hopefully there’s going to be some financial pressure (in the form of fines that everyone has been fear-mongering about) to fix this properly.


> the consent process shouldn’t annoy or trick the users into opting in. Pre-ticked checkboxes or making the opt-in button more prominent than the decline button aren’t allowed.

I wish that was true but the GDPR doesn't actually say that as far as I know. There's official advice to that effect, but it's not written in the law. IIRC it just says it must be a "fee choice" which is way more open to interpretation.


I think it's pretty clear that whomever wrote the cookie consent law didn't know the first thing about cookies. Though I'm not completely discounting the possibility that ad companies are deliberately obtuse.

Why law makers decided people should be warned about the websites storing data client-side with users having full control over the content and who it gets shared with, is something I will never quite understand. Though I do recognise that some of the blame lies with most user-agents storing these cookies indefinitely and sharing them without question, by default, to this day.


> Though I'm not completely discounting the possibility that ad companies are deliberately obtuse.

They are definitely being deliberately obtuse. Nothing in the relevant legislation requires anything like the party of dark patterns we see in many sites, in fact many of the consent forms are not conformant with the legislation at all anyway.


Please read my other comment in this thread - the vast majority of cookie consent modals aren’t actually compliant with the GDPR. The problem is that there’s been zero enforcement.


It really doesn't matter. It wasn't written to be enforced at the protocol level and that was its biggest mistake. The amount of life it has extracted from me is worth far more than the abuse of the data.


HyperWeb (a YC company, I believe) offers this functionality in its Safari extension. Very helpful!


Yep and the feature is just rule based auto-clicking elements after the page loads. So it can skip other annoyances like newsletter or app download prompts too.

https://guide.hyperweb.app/remove-annoyances/autoclick/


Does it actually simulate a click in the browser or just call the click event handler?


I used auto web and it rendered Sarai unusable.


>Don’t get me wrong, I admire the spirit of the law, that people should know how they are being tracked, but I don’t know why decades later after this law came into play, nobody at Mozilla or Chrome teams thought of pushing that as a web standard, it just seems so obvious to me

They did. It was called Do-Not-Track. The ad industry barely gave a care about it. Microsoft got the bright idea to make it opt-in, but they aren't iOS, so the ad industry responded by ignoring DNT entirely and that was that.

The reason why GDPR plagues the Internet with maliciously designed and legally non-compliant pop-ups everywhere is because of a small exception for "user consent" as a lawful basis for data collection. I imagine the intent was for things like opting into telemetry and error reporting[0], with the idea that if someone tried to ask for consent for ad tracking it'd be rejected.

The ad industry is vehemently opposed to opt-in consent because of two reasons:

- People don't change defaults, so making tracking opt-out means most people get tracked while making it opt-in means most people don't get tracked.

- Nobody will consciously opt-in to ad tracking, or at least they assume nobody will do so.[1]

Since GDPR more or less forces ad companies and web publishers to actually provide user-visible controls for tracking, they've generally agreed upon circumventing the spirit and letter of the law by blasting people with illegal dark patterns to create a veneer of compliance. This is something the EU will need to enforce (and is doing so).

The rest of this article is great, BTW - not a lot of people actually go through the effort of modifying FOSS on iOS to do what they want, and I think more people should. In fact, you might even be able to get this work upstreamed, assuming Apple doesn't have a problem with bundling anti-tracking tools like this into a third-party browser.

That being said, I really wish most FOSS projects on this platform had build systems friendlier to third-party builds than Xcode projects are. The whole "wipe all the team IDs and change the bundle identifier" dance is annoying, and you always have to remember not to commit those changes in Git. I really wish we could make all that information separate from Xcode so it could be properly gitignored.

[0] I generally draw a line between telemetry and ad tracking. As far as I'm concerned, using my data to improve the product I'm using is legitimate. The only concern I have there is who stores the data. Using my data to make your ad sales more lucrative is not. And I imagine if you forced users to make an educated decision they'd be more OK with the former than the latter.

[1] I have heard of people who consciously prefer relevant advertising. You could pitch it to users on that basis; however, ad tracking goes way beyond interest targeting. A huge segment of the ad industry is remarketing: selling ads to people who have recently visited another website. I've found that nontechnical users find these ads to be incredibly annoying, if not creepy, but just assume there's no way to turn them off because the option to do so is intentionally buried.


I don't understand the advantage to using Firefox over Safari on iOS. No uBlock Origin = what's the point = I have zero interest in an iPad.


It can sync your history and bookmarks with desktop Firefox. I think it's also affected by any ad blockers used by iOS Safari such as AdGuard, so there's very little disadvantage.


> I think it's also affected by any ad blockers used by iOS Safari such as AdGuard, so there's very little disadvantage.

It’s definitely not affected by AdGuard (as a content blocker) it’s only affected by AdGuard as a dns Adblocker, and if you see no difference between content blocker and a dns blocker I envy you and you have a way higher tolerance for web bullshit than I do.


You’re right, it isn’t. I haven’t used the iOS Firefox much but I did notice some ads were blocked. I thought that was AdGuard but it might be the privacy/tracking settings in Firefox.


It’s not able to use safari content blockers as far as I know (I don’t think any mom Safari browsers can?).


aside from the fact that as others have pointed out there is more to firefox than the engine (though I wish I could have that too) such as firefox sync and a UI that better suits my taste, it also signals interest in using a different browser which hopefully will push apple to allow full 3rd party web browsers at some point.


How about freedom?


In what sense? On iOS you're still using Safari under the hood basically, so there's pretty minimal "freedom" involved, if any.



If you're interested in freedom, as in free software, why would you even touch an apple device



and if you're using an apple device, why bother with a second class browser? The sync isn't worth the hassle.


What hassle? The one time app download? Firefox sync works fine.


The hassle of no adblockers (or extensions), bookmarking/read listing/redirecting/etc. from in-app webviews, inability to add a website to Home Screen, zero PWA support (even if Safari's is limited), and I'm sure there's others.

It's not Firefox's fault. It's just that Safari has system-level privileges that Firefox can't have, despite just being Safari under-the-good.

With that said, I'm not the person you replied to and wouldn't argue against someone using Firefox on iOS. The above are just my reasons for not using it, so it's understandable if those things don't matter to others.


Everything that's not safari is just a skin over safari, minus the convenience of system integration.


You seem to be implying that apple is first rate.

hard disagree


I think they meant "second class" as in "second-class citizen" not "second-rate."


On computer hardware that the writer owns compiling free software for other computer hardware they own - they need a license from Apple.

What does it actually mean to buy something these days?


It means voting with your wallet and helping push society away from corpo traps like this.


Well yes! I develop on Apple. I do not own any Apple hardware.

But I get the impression that for the people of North America tablet/smartphone mean iPad/iPhone.

I have no data, but it is the very strong impression I get


About half of smartphones sold in the US and Canada are iPhones. The Mexican market is dominated by Android.


Part of the impression that iOS is dominant comes from usage stats. Last I had insight into the stats (maybe three years ago? Four?) iOS users spent way more time using their devices than Android users, it had been that way basically since iOS and Android had existed, and that state showed no signs of changing. Web browsing? Average iOS user does more of it. Time in apps? Ditto. So they have a much larger usage footprint, are more visible in hands as you're out and about, et c.


Sure you could do that.

Or you could just download Firefox Focus and enjoy ephemeral browsing sessions where all traces can be eradicated at one touch of the little trash icon.


Great app, but doesn't have anything to do with the goal of the OP. Firefox Focus doesn't block EU cookie banners.


Yes, I know it doesn't strictly block banners.

But for 99.9% of people it frankly achieves roughly the same goal of being able to hide from cookies with minimal effort.


The goal isn't to hide from cookies, it's not having to click through cookie consent modals. Having ephemeral sessions actually makes this problem worse because sites actually use a cookie to track whether you've consented to the other cookies the site wants to use. So not having the "has/has not consented" cookie causes the modal to appear, making you set your preferences every time you visit the site instead of just the first time.


The problem isnt the cookies. The problem is the consent popups.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: