Comment by necovek
2 months ago
I am happy to learn what I may have been imagining: thanks for that!
The law has turned out to be useless, agreed — or at least, it has driven hard-to-navigate UX that we live through today. The intent could have taken us in a different direction with some care (i.e. mandating a clear, no-dark-pattern opt-out/opt-in ahead-of-time option a la DoNotTrack header that similarly failed): if web clients (browsers) were required to pass visitor's preferences and if the list of shared-with was mandated to be machine readable with an exact format (so browsers would create nice UIs), maybe we'd get somewhere.
That's precisely what was supposed to be! As you can imagine, there are strong incentives to lobby against it, so it's almost a decade late already.
Whoever came up with an idea to attach CSAM scanning provision to it is an evil genius, what an incredible way to make sure it's not going to pass any time soon.
'Do not track' was stupid. 'Cannot Be Tracked' would have worked fine. The difference is that the browser is literally the user's agent, so it should work for the user. It is the thing which identifies you today, and could easily NOT identify you without your permission if that was what was mandated -- and "big bad ad tech" could do nothing about it.
Simply select the sites whose first party cookies you want preserved, triggered only by user actively toggling it on, or prompted for on a user-triggered POST that occurs on a page with a user-filled password field (similar to how popups were killed off, no prompting on a POST done without user interaction). "Do you want to let this site '' remember you (stay logged in, etc.)?" [YES] [NO]
Otherwise delete the cookies in X minutes/hours/etc.
Or another way, keep the cookies while a tab is on the site, then once no tabs are visiting it, put them in an 'archive.' Upon visiting the site again, show a prompt "Allow to recognize you from your previous visit(s)?" <Yes> <No, be anonymous> If yes, restore them, otherwise, delete them.
It is so simple to have browsers be responsible for the user's safety, yet since we left it to politicians to decide, we got all this silliness putting it on the users -- and where the technical implementations are by necessity INSIDE the JS sandbox where it's difficult for users to verify that it's being done correctly.