Comment by bayindirh
5 hours ago
> On the flip side, the cookie banners are a perfect example of bad regulation. They’re super easy to (allegedly) comply with and the result is just an annoyance for some 300 million people and absolutely no change to company behaviour whatsoever.
While I agree that cookie banners are bad, they are not the result of bad regulation. They work perfectly for what they are. They signal that the web page is tracking you and has tracking cookies. Essential cookies are allowed and do not trigger a cookie banner requirement.
On the other hand, my browser's GPC is enabled. It sends the new "do not track" signal. As a result, when I open "show preferences" on a cookie banner, all of them come disabled by default in most cases.
Even this is a win.
The problem with this is that DNT header is used by such a tiny minority of people that it’s basically a walking unique identifier for all of the side channels. Arguably it’s as identifying as the cookie you’re asking them not to store in the first place.
This is such a tired HN cliche response and it comes up as a negative whenever people mention things that actually improve users privacy, even ad blockers.
It honestly boils down to this:
If some website is breaking GDPR regulations, sure, you might get somehow fingerprinted. (EDIT: Because, surprise, fingerprinting also requires consent under GDPR!)
But for websites actually following the law, DNT is effective at best, ignored at worst. Because fingerprinting is also PII.
Sure: saying "people might fingerprint you" is technically correct. But virtually everything else in your browser, from the size in pixels of your browser tab to your IP address can be used for fingerprinting by malicious actors.
So yeah, if you have to use TOR (which actually has actual anti-fingerprinting measures), go ahead and remove the DNT bit. If you don't need TOR, get an ad-blocker ASAP so it at least protects you from AdWare and Tracking stuff that might fingerprint you.
> This is such a tired HN cliche response and it comes up as a negative whenever people mention things that actually improve users privacy, even ad blockers.
We’re talking about regulation here. Some things (like ad blockers) are a unanimous win for privacy but have nothing to do with regulation.
> If some website is breaking GDPR regulations, sure, you might get somehow fingerprinted.
The ePrivacy Directive (cookie law) has nothing to do with GDPR. The directive only deals with cookies, and informed consent for the cookies. If the goal is to improve privacy it’s a failure because it doesn’t touch any of the other numerous ways that tracking happens. If it’s to improve how websites handle cookies then it’s succeeded there I guess, but to what end?
GDPR on the other hand is a better attempt. It’s not perfect but it actually gets to the heart of it. GDPR changed behaviours, the cookie law slapped a banner in front of half the western world and continued as things were.
1 reply →
I believe Firefox ships it enabled. So, it's already evident from my browser of choice.
Like security, it's a matter of tradeoff and reducing the surface area.
> On the other hand, my browser's GPC is enabled. It sends the new "do not track" signal. As a result, when I open "show preferences" on a cookie banner, all of them come disabled by default in most cases.
They come as disabled because that is required by GDPR. All settings that are not strictly necessary, consent must be opt-in. Not because you enabled DNT. That's just a flag companies don't care about because they are not legally required to care.
And thise settings originally were all toggled on because ads industry doesn't care
Nope. I don't live in a country covered by GDPR. They used to come enabled before. OneTrust's banners also show a little green text reading "Your signal to opt-out has been honored".