Comment by dcow
1 month ago
We suffer from a problem that engineers want nothing to do with politics. I 1000% agree we need a digital bill of rights. It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it. For my protection -_-
I want privacy codified in human law. I didn't vote for standards bodies to pave the road to hell by removing every goddamned persistent handle we can find from existence. I didn't vote for the EU to reinvent an internet worse than popup ads by attacking the symptoms not the cause. I would rather have the internet of the 2000s back in a heartbeat than keep putting up with shitty “technical solutions” to corporations having too much power at scale. I don’t care if people break the law: prosecute them when they do and make the punishments enough to deter future law breakers.
There is absolutely something civilized beyond a lawless advertising wild west where the technical solution is to all be masked Zorros.
Why is it that if someone said “we need a legal solution to gun violence” the people that say “no we need a technical solution all people should wear kevlar and carry 9mm pistols” are considered the lunatics but when we ask for a legal solution to rampant non-consensual tracking for the purpose of indoctrinating the consumer class with propaganda we all laugh and say bah the solution must be technical? I don’t get it.
> I want privacy codified in human law
Article 12
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks
- Paris, 1948, Universal Declaration of Human Rights
Which says nothing about a business profiling customers that walk through the door and selling its profiles to aggregators. It says nothing about requiring consent before soliciting individuals or subjecting them to psychologically manipulative advertisements. Etc. We need more.
The problem is interpretation. The key phrase is "interference with privacy" which is ambiguous yet all encompassing. You say it says nothing toward solicitation or manipulation where I interpret both of those acts as "interference with my privacy." Not saying your version is wrong, by the way, just different from mine as a example of where the protection falls apart.
My gut feeling as that no matter how much additional and specific language we add to any bill of privacy rights, there will always be holes or work-arounds due to interpretation and semantics. This is how lawyers in most robust legal systems make their living, after all. The data that results from robbing us of consent, privacy and agency when engaged with websites, web/mobile apps and software is so insanely valuable that the people interested in collecting and selling it will be happy to keep one step ahead of whatever language we come up with that attempts to mitigate their actions.
We need a different solution, one that returns us to the levels of implied trust I remember from the late 1990's/early 2000's Internet, one that prevents corporate entities from being the dominant drivers behind its growth and development. However, I am not technical enough or imaginative enough to even guess at what that solution might be, so from my perspective, the battle is already lost and we are at their mercy unless we avoid having an online presence as much as possible...a bit like that old classic movie War Games, the only way to win is not to play.
1 reply →
That's a declaration, which is not binding. The ECHR art. 8 has similar contents and is binding. However, it has a 'unless we really want to'-portion:
"except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."
Currently 'the West' happens to be doing its best to quash international law, so I'd expect even that thin veneer to crumble rather soon.
if there are no consequences to violating a law is it a law?
It's probably not a law. It might be a declaration or a proclamation or a resolution.
> It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it.
Do yourself a favor and enable the Cookie lists in uBlock Origin.
I'm personally grateful that a law requires my consent before tracking me. That means I should not be tracked without me saying OK without monetary risks.
> Do yourself a favor and enable the Cookie lists in uBlock Origin.
Could you elaborate on this please? I'm sifting through the options and not sure what I'm looking for (disclaimer: I have never once opened the uBlock Origin settings menu in all the years I've used it).
EasyList cookiefilter. Works in uBlock lite as well. It hides all permission notices and consent forms for things you are (presumably) blocking anyway.
1 reply →
You can enable lists that block various things, you'll find this in the settings :-)
I think Brave has this too, IIRC.
Setting a language preference cookie is not tracking and I will die on that hill. The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user. Collecting a crash report is not tracking a user. Even first party product analytics is not tracking a user.
Tracking a user across domains using a 3rd party aggregator to serve add and do attribution is the evil. And the EPD far overshoots the mark of specifically addressing that evil.
A language preference cookie is not tracking under the GDPR and doesn't need to be promoted for. Of course, if you take that language preference and feed it into your advertising to identify and target people, then it becomes tracking.
12 replies →
>The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user.
If your are referring to GDPR this is wrong. GDPR does not require consent for strictly necessary cookies.
>Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
https://gdpr.eu/cookies/
Though language preference does not seem like something that requires a cookie. Just respect the Accept-Language header. There is no need to reinvent the wheel here.
3 replies →
> The law requires consent before using a cookie to store even a mundane option that was just directly modified by a user
Nope.
That's exactly why the evil cookie modals are not on the GDPR but only on the sites that want to track you and now need to ask you for your consent before doing so. That's usually exactly where good faith GDPR detractors are wrong, and that's what needs to be repeated again and again in those discussions.
3 replies →
Accept-Language.
>>We suffer from a problem that engineers want nothing to do with politics.
More on point, we suffer from a problem that far too many people of all walks of life want nothing to do with politics.
Plato made the most accurate point 2300 years ago: "The penalty for not being involved in politics is you will be ruled by your inferiors."
And, even though you may not be interested in politics, politics is ALWAYS interested in you.
It should be noted that Mein Kampf's first three chapters are pretty much a call for the common citizen to start becoming more interested - if not involved - in his local politics. I am of the opinion that this is the reason that the book was banned. The antisemitism in the book is far more restrained than I was expecting. But the call to hold politicians accountable to the people - that was a surprise.
This is an insane take on a book that literally advocates for genocide, and pushes race theory as a cause for Germany's downfall after ww1, and justification for the subsequent murder of millions.
The reason is our government and regulators are captured by business concerns which profit from our data. The government in turn views mass surveillance as a powerful tool for social control. Although there are many more people whose privacy is violated by these policies than benefit from them, the rich and powerful minority is more organized in its efforts and thus comes out ahead in the balance of power.
> the rich and powerful minority is more organized
They show up. I've worked on privacy legislation at the state and local level. Barely anybody calls or writes in support. That means barely anybody would turn up to a contested primary election over it, or donate to a challenger, or organise the foregoing en masse. Contrast that with bread-and-butter or activist issues, where it's immediately clear there is political capital at the very least on the board.
Or the people elected by other humans could... IDK do their job of representing the people rather than a handful of corporations.
The problem is what I said in other comnents here. This is the fabel of sodom and gomorrah in action. We have no people with any moral compass in charge.
17 replies →
> They show up. I've worked on privacy legislation at the state and local level. Barely anybody calls or writes in support.
This is by design. A lot of people talk about RTO in regards to business real estate but there's also the aspect of keeping people so busy and exhausted that they don't show up when it matters.
2 replies →
> It pains me every time a “well behaved” website pops up a cookie consent banner for the billionth time after I already consented because the browser wiped all the persistent user identifiers available to it. For my protection -_-
https://www.i-dont-care-about-cookies.eu/
Yep, you're right on the money. The correct course of action is for those of use who recognize this to cease arguing on the Internet with those who don't and connect with one another offline. We're in dire need of something akin to a 21st century Continental Congress.
"engineers want nothing to do with politics". Do you mean Comcast engineers see this as a purely technical challenge without caring about implications? In general we are seeing more engineers taking positions on a variety of political issues.
While I agree that we should have legal codes protecting our online and digital rights, I’m convinced that there are enough Bad People on the Internet that we do indeed still need strong technical protections as well.
I’ve been asked at work to build less than savory stuff, here are some general observations, none of which are admittedly an excuse:
* you get caught up in the moment, hell bent on solving the problem you don’t really think twice
* you don’t want to get that stink on you, you don’t want to be that guy that brings this type of stuff up
* you are mindful of the fact that you are being very well compensated to build it and you don’t want to lose your job
* you know it’s going to fall on deaf ears - maybe they will pay lip service, maybe they won’t but either way nothing will happen
* in the back of your mind you figure someone else is fighting the good fight
On and on, so many different things can go through your mind, who knows which it’ll be on any given day, on any given project
And sometimes, you don't even know what the feature will even be used for.
Today it's an automatic subtitle generator for people with hearing difficulties. Tomorrow it'll be an AI training data generator. In a year, the NSA will re-purpose it into a mass surveillance tool.
> And sometimes, you don't even know what the feature will even be used for.
I did some work in the early 2010s that we expected to be used for computational photography, gaming, and little else. Years later, after I had already left the company, its primary use case became image stabilization for quadcopter drones, something that had not crossed our minds at all when we were building that stuff.
Cue in all the drone footage from the Russian invasion of Ukraine. FUCK. FUCK FUCK.
Exactly
Kind of crazy that I’m being downvoted for just expressing some basic, reasonable feelings
1 reply →
This is all true, and I suppose I participated in a signed update mechanism that I knew the (corporate) end user probably wasn't going to be given the keys to. But, I think there's a difference between this and deliberately going to work on a system that's clearly just top-down designed for something low.
For example, I don't think there's anyone in the (large!) fixed-odds betting terminal industry that can honestly say their work is a good thing for the end users.
What law would you propose? I think the hard part is "Instagram and TikTok remain free-with-ads."
Good riddance to everything supported by ads.
I genuinely wonder if people would wind up spending less money if they had to pay for services than if they get exposed to ads that lead them to buy more things. But either way, once ads and "free with ads" are gone, there's much more room for other competitors.
Okay, you think that, but as we've seen even banning TikTok alone is incredibly controversial and ultimately seems to have failed. Banning Instagram and TikTok doesn't seem politically feasible. So what do you do?
> Good riddance to everything supported by ads.
Ads don't require pervasive and invasive tracking for every breath you take
Would ads still be worth enough if they were targeted based on things like what you watch/read/follow/subscribe to on that platform and your general location?
Or can instagram only be free if ads are targeted to detailed profiles of individuals built over decades as they are tracked across the whole internet?
> Would ads still be worth enough if they were targeted based on things like what you watch/read/follow/subscribe to on that platform and your general location?
Yes. Targeted ads need to be 100% to 700% more efficient than regular ads to be as profitable: https://news.ycombinator.com/item?id=43996623
The heavily profiled ads cost a lot more money for the advertiser to run compared to traditional ads, if those platforms turn to contextual ads they do not have their special expensive profiled ads product to sell anymore.
So it's not about the perceived effectiveness of advertisements that you feel as a user, it's about the rather more unique product that they sell to advertisers that really raises their revenue.
The problem is that the internet is international and laws are national or even by state.
There are 24 states that require ID to view porn sites. The laws are being completely ignored by popular websites that are not based in the US.
Yep. And plenty of US sites ignore international laws about slandering Mohammad, and so on.
I’m not sure the lack of a global hegemony is a “problem”.
And another reason you don’t want laws governing the internet is that politicians are dumb. As soon as I heard about the laws I knew this was going to happen.
https://reason.com/2025/01/24/age-verification-laws-meet-vpn...
> ”Google searches for online tools like VPNs have surged in Florida after Pornhub, one of the world's largest adult websites, blocked access to users in the state," CBS News reported earlier this month. "Since the end of November, Google searches for VPNs have surged in the Florida, according to Google Trends. From the week of Dec. 22 - 28 to Dec. 29 - Jan. 4, searches nearly doubled. Since then, the numbers have gone even higher."
> The problem is that the internet is international and laws are national or even by state
How is the this a problem for ISPs coöperating with law enforcement?
> We suffer from a problem that engineers want nothing to do with politics.
It's not even politics, it's simple ethics.
Why would you need a user identifier to block a consent banner? You don't technically. The website requires it because it is a shitty website.
It would be enough to have your browser store a cookie without personal information with { cookieconsent: "STFU" } or some variable in local storage. If the website respected that, we would be fine.
Personal identifiers are not needed and foul compromises aren't acceptable.
I think I’m kind of on your side in general, but I have more of the opposite feeling about legal versus technical solutions. If we had no idiotic EU cookie laws, no “consent” bs required, a technical solution would be easy: default segmentation of cookies by what site you are actually visiting, plus all non-first-party ones silently expired after 60 minutes or whatever. It seems like this would be very easy, except for the fact that the number one ad network is also the only browser vendor that matters.
But the attempted legal solutions suffer from being inside the sandbox, meaning all the “cookie management” software is a pile of hacks that barely work, and rely on browsers, as you’ve noticed, to allow their cookies in the service of…limiting cookies. And of course they also suffer from the politicians who wrote them having no clue how any of this works. I suspect if they did, they’d see how dumb it is to regulate that 10,000,000 websites each implement a ton of logic to self-limit their cookies they set (hard to police, buggy) instead of telling 2-3 companies they have to make their browsers have more conservative defaults with how they keep and send cookies back. (easy to prove it’s working with testing).
> If we had no idiotic EU cookie laws
The obnoxious cookie banners are not required by "idiotic EU cookie laws".
> a technical solution would be easy: default segmentation of cookies by what site you are actually visiting, plus all non-first-party ones silently expired after 60 minutes or whatever.
1. This was already implemented
2. Tracking isn't limited to cookies only
> except for the fact that the number one ad network is also the only browser vendor that matters.
Oh, so an "easy" solution isn't easy after all. Who would've thought.
> And of course they also suffer from the politicians who wrote them having no clue how any of this works.
But you do? Like how you only speak about cookies when tracking and user data isn't limited to cookies? Or how "stupid EU cookie law" doesn't even talk about cookies (if we're talking about GDPR)?
Usually the people who really have no clue are exactly the people who say that "there's an easy technical solution".
> The obnoxious cookie banners are not required by "idiotic EU cookie laws".
Of course, the alternative is to not use cookies, to not use any web analytics products, or to resolve to argue the semantics of what is necessary before a judge when sued by one of the many lawyers who now advertise (ironically) all over social media with come-ons like "Did you browse FUZZYSWEATERS .COM? Your data may have been improperly used!"
> 1. This was already implemented
Please let me know what browser does what I describe. Close as I can come is configuring a Chromium based browser to just only keep cookies for certain domains, but it's a pain in the butt so I stopped worrying about it a long time ago.
> Oh, so an "easy" solution isn't easy after all. Who would've thought.
But I went on to detail the much "easier" solution where the EU aims its big swinging...list of mandates... at the 2-3 browser vendors rather than involving 10,000,000 small businesses worldwide in the business of trying to guess if they're "GDPR compliant," or could be in breach because they added some snippet of code from a useful web analytics platform that could be said to "track" users.
Do you really think that it is easier and better to regulate millions of people/companies to make them all do a complex thing in good faith AND do it well, than to make those couple of companies sandbox cookie storage in a way that severely kneecaps cross-site tracking?
> 2. Tracking isn't limited to cookies only
Sure, but also I question to what extent anyone is being harmed by "tracking" in the most broad sense of that word. As far as I can tell, the public believes "tracking is a problem" primarily because they resent retargeting ads. That's all. People see a shirt or a chainsaw or an air fryer "following them around" after they browsed for one, and think "that's weird! THEY know!" Despite the fact that most of those things function very simply, do not give a shit who you are, just some ID that your browser saved and is sending back, and which is tied to a list of SKUs you showed interest in.
The more reasonable concern is more around data brokers and the data about a person being sold and aggregated, which mostly gets concerning when it could be used for stalking, targeting political dissidents, etc. The fact that I spent 34 seconds on A product page, then 32 seconds on B, then added B to my cart and then bounced, that is the nature of all of the data being tracked on 90% of websites, they don't traffic in my location data or even want to collect sensitive information. But every website is affected by the GDPR's vague definitions of "tracking." And ironically, I assume partly because all these in-sandbox "CMPs" barely even work, I haven't even observed a decrease in retargeting ads, the #1 thing that people actually observe and are bothered by.
1 reply →
What law do you think mandates those annoying cookie popups?
It would be nice if you could argue, “well, just be a good site and don’t use marketing cookies”, but the ePrivacy Directive requires consent for performance and preference cookies too. Perhaps a liberal reading arguably allows classification of certain statistics and preferences functions to be strictly necessary, like “I wouldn’t provide this service without crash reporting because I’d go insane so it’s strictly necessary”, but most lawyers would be ill before advising as much.
https://gdpr.eu/cookies/
There’s still the question of what law mandates that they are annoying pop-ups? They could be preferences in a menu, for example.
What happened is website operators started to feel entitled to doing whatever they want with cookies on users’ machines and eventually decided to act like petulant children when the rules changed.
If cookies are only used for preferences functions, then I should expect that it should only require to mention the cookies in the preferences menu (I hope)? If they have a document to explain each cookie by name, then it would also be helpful, that you can enable/disable them individiaully (or make them read-only) by the browser settings. However, for some things such as languages there are other ways to do without using cookies, such as Accept-Language header for languages, although cookies could be used to override the Accept-Language header in case both are present in the request.
Yes that's the point. You don't need those things. The idea that a news article or blog post or e-commerce page could "crash" is ridiculous, and the law shouldn't humor that excuse. There's been standard ways to declaratively define such pages since before scripting frameworks gained popularity. Use those standard ways. If you're really building an app and need to performance test, buy some hardware in your target range. Privacy aware users block things like Sentry.
6 replies →
The GDPR standard of "consent" (as I suspect you know, but as context for my opinion) is applied to the ePrivacy Directive and relates to any cookies that are not strictly necessary.
I do not like using the legal basis of "consent" for processing personal data, and I would much prefer not to need to use consent for placing cookies. As it is, in my personal capacity I can get away without placing cookies at all .
If we had access to other lawful bases for placing cookies, I'd like to think we could work out way towards phasing out any blanket consent. I'm sure "legitimate interests" would be abused and over-relied-on. But it already is, and if we're not arguing with people about whether the "consent" they rely on is legitimate then maybe we'll have more time to worry about whether companies are using other bases appropriately.
> Why is it that if someone said “we need a legal solution to gun violence” the people that say “no we need a technical solution all people should wear kevlar and carry 9mm pistols” are considered the lunatics but when we ask for a legal solution to rampant non-consensual tracking for the purpose of indoctrinating the consumer class with propaganda we all laugh and say bah the solution must be technical? I don’t get it
I don’t know that a reasonable person would compare privacy threats to the threat of death from gun violence.
They exist in totally different altitudes of concern.