Comment by mvkel
1 month ago
This mindset is how we got those awful cookie banners.
Even more dialogs that most users will blindly tap "Allow" to will not fix the problem.
Society has collectively decided (spiritually) that it is ok signing over data access rights to third parties. Adding friction to this punishes 98% of people in service of the 2% who aren't going to use these services anyway.
Sure, a more educated populous might tip the scales. But it's not reality, and the best UX reflects reality.
Nope, collective indifference to subpar user experiences has gotten us those lousy cookie banners.
Web sites could legally use cookies for non-tracking purposes without cookie banners but considering people have not stopped visiting sites despite the fugly click-through cookie banners makes them a failure.
All it takes is for 50% of the internet users to stop visiting web sites with them, and web site authors will stop tracking users with external cookies.
"All it takes is for 50% of the internet users to stop visiting web sites with them..."
You've written that like it's a plausible and likely scenario.
I think it's very unlikely. "All it takes" was tongue in cheek.
(If it was likely, it would have already happened)
3 replies →
Yeah, this is an insane proposal. I know GP may be imagining a smart populace walking away from Big Evil Facebook and X with heads held high, but the other 99% of sites are also doing the same cookie banner stupidity because it is roughly mandatory due to useless EU law (unless you’re not engaging at all in advertising even as an advertiser). So, no more accessing your bank, power utility, doctor, college, etc. That’ll show those pesky cookie banner people!
“The Internet” to someone boycotting cookie banners would basically just be a few self-hosted blogs.
6 replies →
I read an article that said something along the lines of people aren't prepared to pay for apps, so instead we get app store silo advert supported crap-ware. And if it's not the apps its click bait making fractional gains by being supported by ad networks. That some of, but not all of us recoil from.
I think it's significantly less than 50% -- Your comment made me think of The dictatorship of the small minority[0], which places the value at 3~4%
[0]: https://medium.com/incerto/the-most-intolerant-wins-the-dict...
> All it takes is for 50% of the internet users to stop visiting web sites with them, and web site authors will stop tracking users with external cookies.
How would the content creators or news sites earn then? Web is built on ads, and ads are built on tracking as untargeted ads pays significantly lower than targeted.
>How would the content creators or news sites earn then?
“Creators” seem to do just fine with the patronage model.
> ads are built on tracking as untargeted ads pays [sic] significantly lower than targeted.
Not my problem. I am not required to prop up your failed business model.
1 reply →
[dead]
No. A significant number of people care about Privacy which is why 1. Apply was targeting them with Ads and 2. AdBlock did hurt Google's business. Also care is different from go to war (as in install Linux and manually setup a privacy shield + Tor + only transact in Monero). Some people do that out of principal. Many people want the Privacy features but with the ease of use.
Define "significant," and do you have a source?
I'd bet if you ask people "do you care about privacy?" Close to 100% would say yes.
If you ask "you have to give up privacy to be able to log in to your email automatically. Are you ok with that?" Close to 100% would say yes.
If you ask "we will give you this email service for free but in exchange we get to squeeze every ounce of juice that we can out of it to persuade you to buy things you don't need. Are you ok with that?" Close to 100% would say yes.
It doesn't matter what people say they care about. Their actions say otherwise, if the privacy-friendly option is in any way less convenient.
Sometimes I think the real power of Gmail is the Log In With Google button.
> This mindset is how we got those awful cookie banners.
The only thing I've found awful is the mindset of the people implementing the banners.
That you feel frustration over that every company has a cookie banner, is exactly the goal. The companies could decide that it isn't worth frustrating the user over something trivial like website analytics, as they could get that without having to show a cookie banner at all.
But no, they want all the data, even though they most likely don't use all of it, and therefore are forced to show the cookie banner.
Then you as a user see that banner, and instead of thinking "What a shitty company that don't even do the minimal work to not having to show me the cookie banner", you end up thinking "What a bad law forcing the company to inform me about what they do with my data". Sounds so backwards, but you're not the first with this sentiment, so the PR departments of the companies seems like they've succeed in re-pointing the blame...
Seconded: and we need to have worthy competitors spring up without those bad practices and lousy cookie banners, and people to flock to them.
Once that happens, the "originals" will feel the pressure.
Not using those “bad practices” of third party analytics can be an existential threat to small businesses, unfortunately.
1 reply →
one must ask themselves, "why?", this never happens lol.
The non-use of collected data is the most ridiculous part of all this. I work with many companies that collect tons of data and only use a small percentage of it. All they're doing is building a bigger haystack.
This is partially due to the fact that Google Analytics is free and the default for most website/app builders. But, still, it's ridiculous.
In my experience, most people that have semi or full decision-making control over this kind of thing have absolutely no idea if they even need cookie consent banners. They just fall for the marketing speak of every single SAAS product that sells cookie-consent/GDPR stuff and err on the side of caution. No one wants to be the guy that says: "hey, we're only logging X, Y and not Z. And GDPR says we need consent only if we log Z, so therefore we don't need cookie consent." For starters, they need a lawyer to tell them it's "A OK" to do it this way, and secondly it's plain old cheaper and a lot less political capital to just go with the herd on this. The cost of the banner is off-loaded outside of the company and, for the time being, the users don't seem to mind or care.
This is why half the web has cookie-consent banners. No amount of developers who know the details screaming up the ladder will fix this. The emergent behavior put in place by the legal profession and corporate politics favors the SAAS companies that sell GDPR cookie banner products and libraries. Even if they're in the right, there is a greater-than-zero percent chance that if they do the wrong thing they'll go to court or be forced to defend themselves. And even then if it's successful, the lawyers still need to be paid, and the company will look at "that fucking moron Joe from the website department" which caused all their hassles and countless hours of productivity as a result of being a "smart ass".
> have absolutely no idea if they even need cookie consent banners
> This is why half the web has cookie-consent banners
Agree, but we as developers can have an impact in this, especially in smaller companies. I've managed to "bark up the ladder" sufficiently to prevent people from mindlessly adding those popups before, and I'm sure others have too.
But those companies have all been companies where user experience is pretty high up on the priority ladder, so it's been easy cases to make.
People think in terms of what is inconveniencing them directly. Great examples are when consumers yell at low level workers when a company has horrible policies that run back to cost cutting...
or union workers strike against Imaginary Mail Service Corp. because they are being killed on the job, and people (consumers) get angry at the workers because their package wont show up on time (or the railways arent running, etc...) instead of getting mad at the company inflicting that damage on other people...
or when [imaginary country] puts sanctions on [other poorer country] the people of that country blame the government in power instead of the people directly inflicting harm on them.
I'm not sure why this is the case, but we have been conditioned to be resistant to the inconvenience and not the direct cause. Maybe its because the direct cause tends to be a faceless, nameless entity that directly benefits from not being the target of ire.
[flagged]
Do you feel like your comment is responding to mine in good faith and using the strongest plausible interpretation? Because it sure feels like you intentionally "misunderstood" it.
Obviously the intention is not "to not improve user privacy at all" but to give companies and users the agency to make their own choices. Many companies seems to chose "user inconvenience" over "user privacy", and it now makes it clear what companies made that choice. This is the intention of the directive.
1 reply →
Not the goal of the regulations. The goal of the companies.
Those are the same goals, at least in a capitalistic free market. The theory is that consumers will go towards products which are better (meaning, less obnoxious), and therefore the obnoxious websites will either die off or give up the banners to conform to the market.
Naturally, as you can see, free markets are purely theoretical. In practice, up and leaving a website you're using is almost never easy, and isn't even a choice you can make often.
It’s odd that you think the people implementing the banners want them so they can get more data. They want them because they provide a shield from litigation. I don’t know about you, but in the past year, most of my ads on Facebook are from law firms with headlines like “have you browsed (insert random minor e-commerce site) in the past two years? Your data may have been shared. You may be entitled to compensation.” If I’m a random mom and pop e-commerce site and I do not add a cookie banner, and I use any form of advertising at all, then I am opening myself up to a very expensive lawsuit - and attorneys are actively recruiting randos to serve as plaintiffs despite them never being harmed by “data collection.”
It’s that simple. That’s the situation with CCPA. Not sure the exact form that GDPR penalties take because I’m not European. But it’s not a complicated issue. you have to display some stupid consent thing if you’re going to have the code that you’re required to have in order to buy ads which take people to your website.
Note that plenty of these cookie banner products don’t actually work right, because they’re quite tricky to configure correctly, as they’re attempting to solve a problem within the webpage sandbox that should be solved in the browser settings (and could easily be solved there even today by setting it to discard cookies at close of browser). However, the legal assistants or interns at the law firm pick their victims based on who isn’t showing an obvious consent screen. When they see one, it’s likely that they will move onto the next victim because it’s much easier to prove violation of the law if they didn’t even bother to put up a cookie banner. A cookie banner that doesn’t work correctly is pretty easy to claim as a mistake.
> If I’m a random mom and pop e-commerce site and I do not add a cookie banner, and I use any form of advertising at all, then I am opening myself up to a very expensive lawsuit
Nope, that's not how it works. But your whole comment is a great showcase about how these myths continue to persist, even though the whole internet is out there filled with knowledge you could slurp up at a moments notice.
1 reply →
The cookie banners are an example of malicious compliance.
Actually, if my mindset were leading, we wouldn't have cookie consent banners because we would've just banned non-essential tracking altogether.
Now we just have to define what’s “essential” and how to identify it, across states, countries and jurisdictions. Should be easy. ;)
How about this:
'Nothing is essential until you prove it is' - apply to the cookie ombudsman for €1k to make your case for allowance.
You complete a detailed form including giving your company registration and the reason for use of each cookie. You list each company with access.
You pay into escrow €10 per user per company (eg 10 users, sending data to 1200 companies; 120000€) you wish to gather/keep data on, providing that users details and an annual fee.
Any non trivial infringement and you get DNS blocklisted, the escrow money is paid out, CEO of the registered company is fined one years income (max of last 4 years) and legal proceedings are started against the company and its executives.
On application to the cookie ombudsman I can see all companies who legally have access to my data (and via which gateway company), I can withdraw access, they can withdraw service.
We already did this for cookie consent so apparently it's possible.
With cookie banners, legislation said that every website needed to ask for consent -- a thousand sites, a thousand banners.
Operating system level controls, though, provide a single control plane. One can very easily imagine OS-level toggles per application of:
[No Internet, No Internet outside your own app-sandbox, Ask me every time, Everything is allowed].
No opt in from apps required -- they might break if the network is disabled, but the user is still in control of their data.
I think society has collectively "decided" in the same way they "decided" smoking in a restaurant is great.
There's little to no conscious choice in this. But there is a lot of money in this. Like... a LOT of money. If I were to try to influence society to be okay with it, it would be a no brainer.
So, to me, it's obvious that society has been brainwashed and propagandized to accept it. But doing so generates hundreds of billions if not trillions of dollars. How, exactly, such manipulation is done is unknown to me. Probably meticulously, over the course of decades if not centuries. I know that the concept of privacy during the writing of the constitution was much, much more stringent than it was in the 70s, which is much more stringent than it is today.
But, I am very confident it is happening.
The connection with smoking is real here indeed: https://energycommerce.house.gov/sites/democrats.energycomme...
I think it's clear that users should be able to have their own agents that make these decisions. If you want an agent that always defers to you and asks about Internet access, great. If you want one that accepts it all great. If you want one that uses some fancy logic, great.
u-Block Origin's annoyances filters take care of the cookie banners, giving the best of both worlds: no banners and a minimal amount of tracking.
(The "I don't care about cookies" extension is similarly effective, but since I'm already running u-block origin, it makes more sense to me to enable it's filter.)
> u-Block Origin's annoyances filters take care of the cookie banners, giving the best of both worlds: no banners and a minimal amount of tracking.
Word of caution though, that might silently break some websites. I've lost count of the times some HTTP request silently failed because you weren't meant to be able to get some part of the website, without first rejecting/accepting the 3rd party cookies.
Usually, disabling uBlock, rejecting/accepting the cookies and then enabling it again solves the problem. But the first time it happened, it kind of caught me by surprise, because why in holy hell would you validate those somehow?!
This happens to me albeit pretty rarely. This tells me that the website doesn’t respect or understand GDPR.
Why does it have to be more friction?
Users had a global way to signal “do not track me” in their browser. I don’t know why regulators didn’t mandate respecting that instead of cookie consent popups.
Apple IDs could easily have global settings about what you are comfortable with, and then have their apps respect them.
I’m spitballing here but wouldn’t another way to handle it would be to return dummy / null responses by redirecting telemetry calls to something that will do so?
This would have the added benefit of being configurable and work on a bunch of apps instead of just one at a time too
I use Firefox focus on android and Firefox with ubo and others..
On desktop and Firefox app, I only browse through private browsing so cookies are mostly irrelevant as session ends as soon as all windows close.
But you're an edge case, and an extreme one at that.
I always click disallow.
And if you design software that uses tracking and what not. Go fuck yourself.
Better to have cookie banners than made-up 'collective decision'.
This string of unprovable assumptions is not how you do things.
[dead]
[flagged]
Not really. A mandatory opt-in option at the browser level would be the correct way to do it, but legislation forced instead those cookie banners onto the webpage.
No, legislation (the GDPR) doesn’t say anything about cookie pop ups. It says that private data (or any kind) can only be used with opt in consent, given freely, with no strings attached, with the ability to be withdrawn, that it will be kept secure, deleted when not needed for the original purpose, etc. All very reasonable stuff. Tracking cookies are affected, but the legislation covers all private data (IP, email address, your location, etc) … And if Browsers agreed on a standard to get and withdraw opt-in consent, it would be compatible with what the legislation requires.