Comment by bArray
10 hours ago
I was sitting in a room the other day with a young adult, we were searching for additional algorithm learning materials. They searched in Google, and accept the cookies. They clicked on a website, and accepted those cookies too. They then started entering their email address to access another service. I was completely taken aback.
I'm the sort of person that either rejects the cookies, or will use another site entirely to avoid some weird dark-pattern cookie trickery. I don't like the idea of any particular service getting more information than they should.
Siting there I realized, we were not the real target. It is the young people that are growing up conditioned to press accept, enter any details asked of them, and to not value their personal data. Sadly, the damage is already done.
I am in my mid forties, been working as a professional software developer for over 20 years.
I click “accept the cookies” almost every time. I just personally don’t feel it’s worth the effort and cost to try to avoid it.
What “dark pattern cookie trick” are you worried about? I just can’t come up with a scenario where it will actually harm me in any way. All the examples I have heard are either completely implausible, don’t actually seem that bad to me, or are things that are trivially easy to do even without any cookies.
Now, I am not going around giving my real email out to random sites, though, although even that doesn’t strike me as particularly dangerous. I already get infinite spam, and I am sure there are millions of other ways to get my email address… it is supposed to be something you give out, after all.
I just don’t think it is something that is worth stressing out about and fighting against. Maybe I am actually naive, but I just have not yet been convinced I should actually care.
First of all, if you don't practice any tracking limitation, you're almost certainly giving additional parties (directly or otherwise) access to your personal information. This is marketing data brokerage, this is the whole ballgame.
To your point about the actual harm, I've come to see it as a kind of ecological problem. Wasting energy and sending more trash to a landfill doesn't harm me individually, at least not immediately. But it does harm in aggregate, and it is probably directly related to other general harms, like overall health outcomes, efficiency, energy costs, etc.
No, accepting cookies by itself may not do much to me, but the broader surveillance and attention economy that relies on such apathy certainly has.
Sadly, this still doesn't do anything to show me that I should opt out.
I, as an individual, am not going to have any effect on a business if I opt out or not. No business decision is going to be made because I opt out.
You might argue that it will matter if enough of us do it. Sure, that is true... but again, it won't matter if I do it or not. If N number of people opting out is enough to ruin the business model, then N-1 is surely enough as well. There is a 0% chance that I am the one who finally causes the system to collapse.
I do use an ad blocker, and never click on ads. I feel like that action has a bigger return on investment than no clicking the cookie banner.
If having more information about me allows the website to charge more to show me an ad, and I never click any ads, then I am hopefully helping decrease the return advertisers get by using personal information.
40 replies →
I hear what you're saying, and instinctually I feel gross about it. But, if enabling advertising allows the website I'm visiting to stay in business, I think that might be a trade-off worth making.
4 replies →
Do you have any napkin math on the ecological impact in quantifiable terms? I'm just super curious what the scope of the problem is.
I turn off 3rd party cookies in the browser but I don't see first party cookies as big of a threat and I click accept just in case it breaks the website somehow.
The effect of that data is serving you better ads. Its not a big deal. Dystopian governments have way better sources of citizen data than anonymized ad exchanges. It basically just powers product discovery in a giant global marketplace.
23 replies →
> I click “accept the cookies” almost every time. I just personally don’t feel it’s worth the effort and cost to try to avoid it.
the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero and the amount of clicks you'd save yourself would quickly exceed the clicks it took to install the blocker.
> I just don’t think it is something that is worth stressing out about and fighting against. Maybe I am actually naive
It seems like you are, but that's just how our brains work. We're very bad at judging long term and abstract risks, especially when the consequences and their connection to the cause are intentionally kept unclear. For example, when people's cars started collecting data on their driving habits and selling that data to insurance companies a lot of people saw their insurance rates go up, but none of the insurance companies said that it was because of the data collected from their cars. I'd be willing to bet the data being collected by tracking your browsing history has already been screwing you over in various aspects of your life, online and offline, but you won't be told when it happens or why.
> I'd be willing to bet the data being collected by tracking your browsing history has already been screwing you over in various aspects of your life, online and offline, but you won't be told when it happens or why.
Ok, can you give me a plausible example of what that harm could be? This seems in line with the exact thing I said in my comment; every time I ask how it could harm me, I am given vague statements about tracking and data. Charging me more if they think I can afford it is surely a thing to worry about, but there are so many ways to do that without tracking that I already need to take actions to defend against that (comparison shopping, price history tools, etc).
I am not saying I don’t think companies can take data they have access to and use it to extract more value from me… I am saying I don’t thing opting out of cookies is going to do much to change that, for better or worse.
5 replies →
> the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero and the amount of clicks you'd save yourself would quickly exceed the clicks it took to install the blocker.
For less-often used, e.g., non-English language sites, these often leave a site in an unusable state, e.g., non-scrollable. I often have to go into the developer tools to fix a site manually, sometimes hunting for the element to fix if it's not body or html.
> the effort and cost to download an ad-blocker that automatically removes the prompt to accept/deny entirely is practically zero
It's only zero if you don't need to interact with sites that break when you're running an adblocker. I run an ad-blocker nearly continuously, but there are all sorts of sites where I have to disable it in order to use the actual functionality of the site (and these are frequently sites I _have_ to interact with).
There’s a burden in ad blocker plugins: you never know when they will get compromised. Im comparison to that, simply ignoring the cookie baner is less effort imho
1 reply →
this is definitely happening and for some reason, no one has any clear evidence on it.
Conspiracy theories are gossip for men.
4 replies →
[Reject Optional], [Essential Cookies Only] ... I am one of the people who clicks such options. But to some degree they are "privacy theater". Any website that presents you with such a choice is almost certainly loaded to the gills with tracking/analytics and various 3rd-party services that will track you with browser fingerprinting regardless of any buttons you click on the cookie banner. Nevertheless I still reject them, mostly out of spite.
Feel similarly. And to be honest, even when I do select decline all, I have little confidence that the function does what it says it does.
Yes, I do not have a lot of faith that "essential" cookies are always "essential" for example.
2 replies →
This is how we should view all information we get from a company. If the product say organic, claim to be pure ingredients, recycled material, made in "COUNTRY", or any other claim, it is only just that. It is simply a claim that you as the customer has no way to verify.
Having seen how these things are implemented in the field, your lack of confidence is definitely well placed. Most of these things send your denial request to /dev/null
Firefox has a setting to dump cookies on exit, which I use.
2 replies →
When you decline, their tracking becomes illegal, so they are constantly in danger of a legal action. It's a good enough reason to declime for me.
> Now, I am not going around giving my real email out to random sites, though, although even that doesn’t strike me as particularly dangerous.
I am fanatically following my rule "one email per website". Obviously, they all route to the same inbox. Initial motivation was to see who leaks my address and simply block it. However, the separation helped me out tremendously more than I ever expected (at the very least I believe so).
I'm originally from a country with a highly oppressive regime. Years ago I signed up for financial support to a political opposition leader. Things weren't as bad and it felt safe enough at the time. They had my email, of course.
Eventually opposition systems were compromised, and the full donor list became public. The regime's response: they cross-referenced it against emails registered on government services. For quite a few whose addresses matched, police officers paid a visit — looking for grounds to fine them, pressure them, etc.
My alias for that site existed nowhere else. No match, no visit. Definitely an experience I was more than happy to avoid.
> I just have not yet been convinced I should actually care.
I'm not out to convince you since my reasons are unlikely to apply to you. There are some of us who want privacy for privacy's sake. We respect the social boundaries of other people, and find those who don't respect our social boundaries creepy. We don't much care one way or the other if those people are out to exploit us or to harm us. It is the act itself that we consider violating.
You won't notice the effects, but allowing tracking feeds your behavioral profile into the data broker economy. You can then be targeted with things like dynamic pricing based on your guestimated income, invasive ads for significant life events, health care risk modeling, tracking your group affiliations, identity theft, and more.
Unfortunately, NOT accepting them and actively blocking things also makes you extremely identifiable.
I recently spoke with an engineer who was building a product using the information he is able to acquire from these data brokers. This includes every search query you've ever made, anything you've purchased with a credit card, and anything that is in the public record (i.e. a pending divorce case, or child custody dispute). He uses that information to generate a profile on leads to determine how much they can squeeze from this person in whatever deal they are making. (I'm not going to get more specific than that.) This person had no incentive to lie to me about what they were building.
The data trail you are creating is much more personal and invasive than you want to imagine, and in the wrong hands it could be used to devastating effect.
Every search query you’ve ever made is not available from any data broker and if you hear otherwise someone is lying
Apply the same logical test to freedom of speech, and you’ll get the same result.
You’re not missing anything about what’s likely to happen to you personally. What you’re missing is the manner in which rights shape your life and your society even when you don’t exercise them, and sometimes even when nobody is currently exercising them, and that significant harm can be built out of a vast number of smaller harms that aren’t individually that bad.
Read the fine print. You’re usually not consenting to cookies, you’re consenting to having your data gathered, processed, enriched and sold by hundreds of companies around the world.
One click usually gives random foreign corpos the right to your data across a multitude of platforms, the right to identify you across data sets, and to permanently link your device identifiers to you, for ”fraud detection” on a site which sells nothing.
Clicking on accept or deny on those notices makes no real difference, since the ”partners” and ”vendors” usually enshrine their core data activities into the ”legitimate interest” category, which has no opt-out.
Ok, so suppose I am consenting to all of those things.
I still have the same question… how is my life going to be made worse by that happening?
10 replies →
> Read the fine print. You’re usually not consenting to cookies, you’re consenting to having your data gathered, processed, enriched and sold by hundreds of companies around the world.
They'll get it one way or another
With IP tracking, you don't really need cookies much anymore
1 reply →
I don’t think there is much short term danger from the cookies. It’s more the principle of the thing. I hate the bullshit language of how we and our 1500 partners respect your privacy choices. They don’t respect anything and would sell their own grandmothers for a dollar.
I'm worried about my browsing to be tracked across the entire internet for the purposes of marketers to "enrich" my profile... just to sell me more and to sell that data to third-parties who can make all sorts of decisions based on a made up story about who I am, my preferences, my values and whatnot.
there's a reason I don't walk around naked either. it wouldn't hurt me, but I don't need that kind of exposure for no upside
> third-parties who can make all sorts of decisions based on a made up story about who I am, my preferences, my values and whatnot
You're going to be presented with ads and preyed on by marketing no matter what. The "made up story about who you are" is just even more imaginary the less they know about you. You'll simply be presented with less-targeted ads.
1 reply →
For me it's mostly a matter of principle. I'm against online tracking and I will do everything I can to not be monetized. Also clicking reject is not that difficult and if a website tries to make it difficult I just close the tab.
I think he is referring to how some have an "Accept cookies" and a cookie's settings, but to reject cookies you have to open a separate dialog box. I agree, and I think it is so wild that people would give their actual email to random sites.
Very few still have that, at least from Europe, and for those which do it's almost usually just a single additional step.
I'm the same, (well, mid thirties, and over a decade) but I always click accept for cookies.
The only times I've stopped, or tried to deny it is with the recent thing I've seen from some sites that say "accept cookies or pay money". I think that is scummy, and against what these regulations require, so I'll usually just close the site in that case.
Oh and to address the point from the main article, I think I'm unfortunately beholden to more companies, but would strongly prefer to not verify my identity, because I have little to no trust in the companies to safeguard my actual personal data. (rather than inferred cookie tracking data, which they can have imo).
same experience here, but one exception:
I just always the most left button, as this is usually "cancel" or "deny" - not alwys right,though :-D LOL
"software developer" is pretty broad. Here this is specifically B2C (business to customer) applications. I only assume that you haven't been in this market sector, otherwise you would've been more familiar with GDPR and all the concerns that prompted it.
There was a time where the Internet was the wild west and you could've easily been personally targeted and exploited. Businesses sold your data to whoever.
Even today, if you decide to accept all cookies, you're safer than what you used to be.
Rejecting the non-essential cookies puts you in the safest spot from bad actors.
I am familiar with the GDPR. We had to do a lot of research when it came out (as well as the California version, the CCPA, where I live), and had to make some changes to how we dealt with data.
> There was a time where the Internet was the wild west and you could've easily been personally targeted and exploited. Businesses sold your data to whoever.
Yes, I remember when the internet was a much more dangerous place, in all sorts of ways. Browsers were not as secure, network security was not very robust. Most things were plain text. Hell, my friends and I used to run ettercap in our college dorm, because the entire dorm LAN was unprotected from ARP spoofing. Everything was sent in plain text, we would capture email passwords, AIM passwords, etc. We would play pranks on each other where we would spoof AIM messages to different people pretending we were someone else on the dorm floor.
I think some of the regulations have helped the internet be safer, but the tech is really what has changed.
It seems crazy that no one stressed it yet: for the last few years refusing the cookies has been requiring EXACTLY the same effort as accepting them, for the wide majority of websites!!!
It's disheartening that so many people still do this (and not accepting has rarely ever required enormous efforts, to begin with).
I like to just roll over and bite the pillow, click "accept all cookies" and let them go in dry and unprotected.
I don't think you are being naive but I do caution you before you don't worry.
Its not always clear what the desired outcome is here. The dark pattern could have nothing to do with the tracking most folks worry about. We like our phones more than our laptops because we touch the screens for example. The dark pattern here could simply be you use the site more because you do more actions there driving you to waste time and view ads. Who knows.
> Maybe I am actually naive, but I just have not yet been convinced I should actually care.
You are. Tracking is extremely dangerous to the society.
Before Shiftkey offers a nurse a shift, it purchases that worker's credit history from a data-broker. Specifically, it pays to find out how much credit-card debt the nurse is carrying, and whether it is overdue.
The more desperate the nurse's financial straits are, the lower the wage on offer. Because the more desperate you are, the less it'll take to get get you to come and do the gruntwork of caring for the sick, the elderly, and the dying
https://pluralistic.net/2025/02/26/ursula-franklin/
I would imagine it's the GDPR "ACCEPT ALL COOKIES" in big font and then in very small low contrast text "select some cookies" or "reject cookies" that they were describing.
You're lucky to get a "reject" or "select some" button at all. Now I typically see "ACCEPT ALL COOKIES" or "Customize Preferences"
technically, it's the ePrivacy directive. GDPR requires the consent to process personal data and governs the data but the ePrivacy directive is the instrument that requires that god-damn-please-make-it-stop-banner.
Which is why I installed the "Consent-o-matic" extension which dutifully denies everything for me, and I have uBlock Origin for everything else.
ublock it all away. ez pz
Meanwhile I just bounce from the site 60% of the time. Most websites aren't needed for my survival, and I hope they are happy that they lost a customer while I go to their competitor.
Moral of the story is: If you want me to see your content, and maybe spend money, don't cover up your content.
Especially if you're not EU-based and not subject to GDPR, stop listening to the laws of some foreign country that doesn't control you.
> It is the young people that are growing up conditioned to press accept
It's really alarming, actually. I run the cyber security training & phishing simulations at my work, and it's the younger employees that struggle the most. It's like they just assume that everything on the web is trustworthy.
It's not hard to see why though. They grew up with app stores & locked down devices. No concept of a file or file system, no concept of software outside of the curated store & webapps. People that never had to take responsibility for their own digital safety because "someone else" (Google, Apple) always did it for them.
> It's like they just assume that everything on the web is trustworthy.
> It's not hard to see why though. They grew up with app stores & locked down devices.
When we create a safer world, people’s defense mechanisms naturally atrophy or are never developed in the first place.
The problem is, we haven't really created a safer world. We created an illusion of safety by taking away agency.
We might be safer in terms of vulnerabilities, root exploits, RCEs, etc. but the internet is still full of malware, scams are still just as rampant. Vigilance is still very much required, but is no longer taught.
Look at all the malware available on the Play Store. The curation does nothing but create an illusion of safety.
6 replies →
When I joined my last job I noticed that their email settings were misconfigured... EVERYTHING was going straight to the inbox, not even the most basic of spam filters were in place.
When I got filtering on observe-only mode I saw users were getting up to a dozen phishing emails every day.
We quickly did a hard simulated phishing test and most users opened the email but zero users clicked through.
Two years later, after we had excellent email filtering in place, our simulated phishing test had a 30% fail rate.
Take from that what you will!
1 reply →
That's the philosophy behind Safety Third.
2 replies →
Maybe we should make young learners in primary school use "infected" Windows XP so they can dodge spam popups and learn what and what not to click.
They'd just click it away every time, when my nephew got a gaming laptop he'd play mindcraft and the windows sticky keys popup would be firing constantly must have seen him dismiss it 15 times before I offered to show him how to get rid of it.
1 reply →
Growing up I had a "computing" class in high school. It's where I learned to type, but also learned the basics of using both macOS(9 at the time) and Windows.
It was also drilled into me that the default state of anything on the internet is to be untrusted and potentially harmful.
It also helped that you could actually tinker with things, and there were plenty of foot guns around to drill that lesson home.
Somewhere along the way that message got lost and didn't get communicated to the young ones, and I'm not even that old (38).
> They grew up with app stores & locked down devices. No concept of a file or file system
I think almost every Android user has thise concepts.
But on the trustworthy web assumption, I agree. The only effective remedy is a personal calamity.
Are you really exposed to those concepts for daily Zoomer usage? I mean, you can spend your whole normie life using an Android phone never going to the file manager.
(fwiw it's been a while since iOS also have those concepts)
People are also struggling to think about what is computed or stored where or what different wireless interfaces do. Imagine what sort of data people enter into LLMs!
Absolutely. With many lawyers, it is client personal data.
In some sort of weird sense, it makes me appreciate the 'free armor trimming', 'alt F4 helps block attacks in pvp', and similar people in RuneScape. It gave young me a very low stakes environment to learn about scams, losing only what amounts to a little bit of my time. I wonder if there is an argument that we should encourage a certain level of scamming in video games just for the lessons it teaches at low cost? Alas, this isn't generalizable to society at large.
That's an exaggeration. Young people on average have grown up with drastically greater understanding of what a file is than any other generation that has come before them. They grew up using Chromebooks or laptops in school, constantly interacting with the local file systems, uploading files to Instagram and TikTok from the file systems on their smartphones, browsing their phones for files constantly. They know what a file is, they use & manage files more than any other generation prior.
No other prior generation comes close.
Compare them to people growing up in the 1980s. The average person at that time was overwhelmingly oblivious to computing very broadly, their grasp of a "file" as a concept would have been close to non-existent. That was just 40 years ago.
In the mid 1980s a mere 10% of US households had home computers. And that was a high mark globally, it was drastically lower in nearly every other country (closer to zero in eg China, India at that time). The number of people routinely using office PCs was still extremely low.
Today young people have a computer in their hand for hours each day, and they knowingly manage files throughout the day.
I use lights every day, but I know way less about electricity than my grandparents, two of whom who could remember when their town was electrified as children and who therefore treated it as the marvel it truly is. And also because we've worked out a ton of bugs in electricity and it often just works.
My kids will know way less about filesystems than I do, because I had to learn DOS commands to navigate around the operating system if I wanted to play computer games, which led to a lifelong interest in how computers actually work at a level they can (and, so far, do) happily ignore.
2 replies →
You don’t upload a “file” in a “folder” to TikTok. You upload a “video” from your “library”. Consumers have been conditioned to stop thinking about files especially when it comes to media since iTunes and the iPod in 2001.
11 replies →
There may be some demographic groups located between people who were young during the 1980s and people who are young during the 2020s, time periods which are 40 years apart.
> They grew up using Chromebooks … in school, constantly interacting with the local file systems
While it is possible to interact with the local file system on a school Chromebook, it’s certainly not the default. School interactions with Chromebooks seem to consist of logging with highly secure passwords like “strawberry” and using Google Docs. And playing games with heavy PvP components and paid DLC (paid by parents whose kids beg for it, not by schools) that call themselves “educational” because they interject math problems needed to use those juicy spells, make no effort whatsoever to teach anything, but produce a nicely formatted report correlating scores to numbered elements of the Common Core standards.
Maybe they do more intuitively think of things as virtual objects, but it seems like the issue is they don't have a deeper understanding of how the mechanisms behind the abstractions work and can easily get fooled into accepting terms they wouldn't if they properly understood.
1 reply →
> Young people on average have grown up with drastically greater understanding of what a file is than any other generation that has come before them. They grew up using Chromebooks or laptops in school, constantly interacting with the local file systems, uploading files to Instagram and TikTok from the file systems on their smartphones, browsing their phones for files constantly. They know what a file is, they use & manage files more than any other generation prior.
This argument is like saying you understand nutrition because you eat food every day and haven't died yet.
And yet, it's the generation that struggles the most with managing files on their work laptops and on SMB shares.
They know app silos, not file system hierarchy. Ask a teenager where a file is on their phone and the will tell you the name of an app. Ask them how to copy it somewhere else, and they'll use the share sheet and send it to another app.
High adoption doesn't equate to high literacy.
7 replies →
> drastically greater understanding of what a file
No, they do not. First, simply using something does not mean you understand it at all. Secondly, because the devices they've become the most accustomed to work very hard to hide all those details from the user.
> Young people on average have grown up with drastically greater understanding of what a file is than any other generation that has come before them.
I totally disagree!!! Yes, everyone works with computer, phone, tablet, whatever, nowdays!
But does generation z "knows" about what a computer is?
Absolutely not!!!
While tech has advanced and graduated IT personal know more than previous generations (obviously!), all the rest, while they do know how to do their jobs, they know nothing about computers!!! They are pretty much like everyone else that didn't know what a computer was in generations x and previous!!!
However, contrary to previous generations, because they do interact with the tech, they represent a higher security risc for them and for others!
... Because they know nothing about it!!!
It's like giving a box of matches to a neanderthal in the middle of the woods...
Almost everyone in the "Gen x and previous" that interacted with the tech, did know what they were doing (past the initial learning phase)!!!
This does not happen after gen x!
1 reply →
To disagree and recycle some past writing:
> Yeah, I have a particular rant about this with respect to older generations believing "kids these days know computers." [...] they mistake confidence for competence, and the younger consumers are more confident poking around because they grew up with superior idiot-proofing. The better results are because they dare to fiddle until it works, not because they know what's wrong.
> They know what a file is, they use & manage files more than any other generation prior.
Unfortunately, they don't.
They might have had a computer in their hand for hours each day, but they barely know anything about it. The ones who do tend to be those who grew up playing on PC, as opposed to console or mobile, because the latter - despite falling under the "digital natives" aegis - are really shockingly ignorant of even basic concepts.
That's also a stereotype. Gen Z (born 1997 to 2012) is roughly 2 billion people. Among them are the technorati, and the tech literate. The influencers and the influenced. It's fair to compare what was available to them growing up, vs yourself (I learned to program before there was Google), but it's hard to say things that are going to be universally true across that many humans that are interesting. Most of them will have two arms and two legs but will most be able to navigate /etc/systemd/user/? Can't say.
It's not just cookies, it's explicit consent to track you, and sell your browsing history to ~1500 spy companies around the world.
To the sibling comments: don't "accept the cookies" and then delete them.
- - -
I'm super angry at what the web has become, especially at the OS browser community. There is 0 browser (that I know of) that can access the web safely and conveniently. Atm I use Firefox with uBlock which blocks the cookie banners, but Firefox's extension model is broken, and every single extension provides 100% access to my websites to whoever controls the extension. I don't like it.
We need a browser with a safe extension model.
- - -
edit: I guess using 2 Firefox profiles, one with uBlock and one with my google/facebook/bank/amazon/etc accounts solves the threat posed by uBlock and extensions. I still don't like it.
Not just the web. Last time I installed Backdrops on my phone (a nice wallpaper app), you would literally approve hundreds of uses of your data when you press Consent. Even if you choose to manage choices, 200 'legitimate interest' options are enabled by default. Even when you are a paying Pro user. Data used includes location data.
What makes it worse is that a substantial portion of users block web trackers through an adblocker. However on phones, unless you have a rooted phone or use some DNS-based blocker, all these analytics get uploaded without restraint.
Atm I use Firefox with uBlock which blocks the cookie banners, but Firefox's extension model is broken, and every single extension provides 100% access to my websites to whoever controls the extension. I don't like it.
Some browsers (e.g. Vanadium, Vivaldi) have a built-in adblocker, so you have to trust one party less.
> Last time I installed Backdrops on my phone (a nice wallpaper app), you would literally approve hundreds of uses of your data
Why are you using that malware? Is a "nice wallpaper" worth the security risks? Really?
How would you implement ability to arbitrarily block any network connection on any website without giving an extension 100% access?
> How would you implement ability to arbitrarily block any network connection on any website without giving an extension 100% access?
Browsers should provide a filtering option before they makes a request.
IMO a lot of no-brainer options are missing from personal computers. Like the ability to start a program with restricted access to files, network or OS calls (on Windows and on Linux). Browsers should provide the ability to inspect, and filter network access, run custom javascript on websites, etc.
3 replies →
Safari’s extension model could be really good by now, had they not stopped putting effort into it. You are able to define which extensions have access to which websites, and if that applies always or only in non-Private¹ mode. You can also easily allow an extension access for one day on one website.
But there are couple of things I find subpar:
You can’t import/export a list of website permissions. For a couple of extensions I’d like to say “you have access to every website, except this narrow list” and be able to edit that list and share it between extensions.
On iOS, the only way to explicitly deny website access in an extension’s permissions is to first allow it, then change the configuration to deny. This is bonkers. As per the example above, to allow an extension access to everything except a narrow list of websites is to first allow access to all of them.
Finally, these permissions do not sync between macOS and iOS, which increases the maintenance burden.
¹ Private being the equivalent to incognito.
> every single extension provides 100% access to my websites to whoever controls the extension.
But the browser also has 100% access to all of the websites. The browser is software that works for you. You control the browser.
Who but yourself do you imagine controls your extensions?
> The browser is software that works for you. You control the browser.
Oh really? Then why do my browsers keep moving things?
I had similar frustrations and been maintaining a Firefox fork trying to fill a gap there. The result is Konform Browser and I think it might be relevant to you; please check it out!
> every single extension provides 100% access to my websites to whoever controls the extension
That feels a like a bit of overstatement and depends on what addons you use and how you install them... CSPs at least make it possible to restrict such things by policy (assuming user has been exposed to it and parsed it...). https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web... MV3 introduced further restrictions and controls regarding addon capabilities. While I agree the UI and UX around this could be much better, it's not all hopeless. The underlying pieces are mostly there.
While the fundamental addon execution security model in Konform Browser is inherited from upstream, for core addons like uBO you can improve the supply-chain security situation by loading it under "system scope" and disable addon updates in the browser itself. So while we don't (yet) improve on the runtime aspects you speak of, at least for now we can tighten up the supply-chain side to minimize risk of bad code running in the first place.
Literally `apt-get install webext-ublock-origin-firefox`.
"Enterprise policy files" can be used to change Firefox behavior and tweak security model around addon loading. A little explanation and reference of how it works if you want to do the same in other FF build or for other addons:jazzypants
8 hours ago
hedora
8 hours ago
bpt3
9 hours ago
bmacho
6 hours ago
raw_anon_1111
9 hours ago
How would an extension work if it didn't have access to the website you're browsing?
Pick one:
- Read-only access to cross-tab web site content
- Ability to modify web site content
- Ability to access the network
They can always "access the network" in that the extension developer can push static updates for things like ad block lists or security updates.
It might be possible to have "read only" cross-tab access include automation APIs like keyboard + mouse, with user prompting to prevent data exfiltration.
2 replies →
What would a safe extension model look like to you?
At some point, you have to implicitly trust someone unless you audit every line of code (or write it yourself) and build everything from source that you run.
> What would a safe extension model look like to you?
> At some point, you have to implicitly trust someone
A model so I trust my OS and my browser, and I don't have to trust anyone else, that is, they can't harm me.
1 reply →
This is a solved problem for at least ad blockers for over a decade on iOS. The ad blocking extension gives Safari a list of URLs and regex expressions to block
8 replies →
I’m 26, probably terminally online and a professional software engineer too and I just accept cookies every single time because it’s the lowest friction path to just get the banner out of the way. Too bad for those sites tho, because I use uBlock origin on the browser, whitelist cookies by site (all cookies are otherwise always blocked everywhere) and use an always-on VPN to route all my network traffic to my PiHole DNS server.
Maybe it’s a little bit overkill but I set it all up once and only have to whitelist sites every once in a while so it’s not really an annoyance. Besides, I’m not 100% sure now but I’d say that just using uBlock is enough (if properly configured) to prevent cookie-based tracking so my setup is definitely over-engineered.
I remember when it first became widely known that the government could see your library checkouts. People protested. It was a big deal in my tiny town.
I don't even think it would be even a blip on the radar now.
It really is depressing how much ground we've given.
I was just talking about this the other day. This all happened right after 9/11(nevr 4get) and people were fucking PISSED that the patriot act wanted to look at people's library histories. It was a HUGE deal where I lived. Now? Nobody gives a shit and people will trade away their valuable privacy for an IQ test.
[dead]
Can you clarify what you mean?
My local library is run by the county government, so of course the government can see the checkouts, they are the ones I check the book out from. But they restrict checkout information from others. For example, a parent can see the checkouts of their own children, but not after they turn 13.
Perhaps you're talking about subpoenas? Checking some other libraries I see SF Public Library has some discussion about that, but they delete books from your checkout history once they are returned. https://sfpl.org/about-us/confidentiality-and-usa-patriot-ac...
USA PATRIOT Act, early 2000s?
People around me (including engineers) all casually use things like Alexa, Google Home, Ring, Nest, Chrome, are always signed into Google, have all sorts of apps installed on their phones, and have no problems giving up their phone numbers to services for verification. It's crazy.
It's almost like not all "technical" people are the same, and in fact have different wants, needs, interests, tolerances and perspectives.
Terrifying.
I bet you use an Android phone don’t you?
"Apps installed on their phones"
"Use Chrome"
"Crazy"
Or, completely normal behavior. Are you suggesting that people should live in a shed in the woods like the Unabomber?
Gotta love the slippery slope argument
I use Cookie AutoDelete on Firefox and it's great. It works with Firefox Container Tabs (groups have their own cookie settings), and let's you greylist (allow cookies from a particular domain pattern until the tab is closed) or whitelist (always allow from the domain pattern). I set it up for my kids computers also. The default is to blacklist (cookies aren't set), and I can whitelist for particular sites where they need say persistent login.
Definitely in 2026 kids should be getting tons of education in public school about how to safely browse the internet, both for personal data privacy and for safety against stalking, doxxing, grooming etc in the same way millenials were grilled about source checking internet resources like Wikipedia.
Also Firefox and Safari by default block 3p cookies everywhere, which is a significant step above Chrome
I do this, more or less, although I am a bit older. It's not as if I enter my real name, address, or email at every opportunity, but there is really no perceptible feedback loop that would force one to contemplate the consequences. I visit my local news site and the first thing I see is a massive cookie banner which lists over a thousand third-party vendors and asks me to either "Accept all", or if I am being prudent, click adjacent button called "Choose" to go to another page, then manually untick dozens of tracker categories, and then click "Allow selection". Whatever I chose, it wouldn't have any tangible impact on my life. I simply do not care.
With uBlock Origin, you would not see such popups. Also, it may not have an impact on your life, but it sure as hell has an impact on adtech guys' pockets.
Most doesn't event know what cookies too. In fact, most doesn't put extra thought into the things they are clicking/accepting on web.
Because of this, I found it odd that the regulation allows displaying the accept cookies button. Instead, it should be rejecting cookies by default and a separate flow to accept tracking cookies (e.g. via account settings page)
Why not have all tracking disabled by default by law and have users opt in through Settings menus?
That's exactly my point. Sorry about the poor wording
>Siting there I realized, we were not the real target.
That is wrong. You definitely ARE the target too - perhaps not the primary one but you are part of the cohesive whole. Why would you think that Facebook sniffs for offline data about which doctors people visit? These are not accidents.
Accept the cookies and flush them out every time you close the browser. I think it would be naive anyway to assume that clicking no on a cookie banner would achieve much for your privacy.
So-called "cookie banners" usually ask for your consent to much more than optional tracking cookies. By accepting you might be giving your permission to e.g. track you through various fingerprinting methods, build a profile and share it with advertising partners.
If they are aggressive enough to do fingerprinting, what makes you think they would abide to your choice? You do browser fingerprinting when you want to overcome people rejecting cookies.
An additional reason for not browsing the web without uBlock Origin on Firefox or other browsers with full support (not Chrome).
Why even ask for the cookies if denying them doesn’t achieve much?
It’s naive to think that cookies are the only tool used for tracking, but they are the most powerful tool for web based tracking.
Because in some legal systems you're required to ask. You're also required to follow fairly specific rules relates to the user's selection and data, though I can't imagine enforcement keeps up with websites breaking those laws.
Because EU Cookie Law was a flawed idea?
8 replies →
No, shan’t give them the metrics :)
There is a third path, Firefox focus.
Accept everything, the end the session.
That said even with throwaway relay emails I don't sign up to much
I use regular Firefox with the option to delete all data on quit. And I quit maybe once per day or so, as soon as I feel there are too many tabs open. Serves the same purpose.
The allow/reject button seems useless anyway. It's my browser allowing this, not the website. If I were worried about cookies, I'd disable them or clear at end of session.
Accepting cookies vs. entering personal information are very different buckets for me.
I just click "Accept all" on every cookie banner, life it too short to figure out which checkboxes and dark patterns I have to avoid on each site to not hand over some data...that is than later on just tracked in the backend ("server to server tracking"). Or sold by my credit card company, or tracked by me hovering over some video on YouTube. With the amount of data available unselecting some check boxes on a website just doesn't make a difference.
My inclination is to simply close the window as soon as there's a popup of any sort. If someone did that to you in public you would be within your right to punch them in their face as an act of self defense.
I doubt the average person even reads those. They are just "the thing you must click to get on with things". How many of those does a person even see in a day across all software and websites wanting to pop up with some garbage you do not care about?
> It is the young people that are growing up conditioned to press accept
There is a similar story with Ford and how they build pavement everywhere and taught the young population that roads are for cars. Now we have to drive for 10 minutes to get from one shop on the plaza to another shop on the different plaza.
It was the bikes who fought for pavement everywhere. Cars took it all over. Mud is annoying to walk it, but otherwise humans handle bare dirt just fine.
The Romans built roads across Europe instead of mud paths two thousand years before bikes were invented. Humans might be able to cross dry compacted dirt, but do much better on engineered roads than on deep, wet, sticky, slippy mud, even before thinking about carts and wagons.
https://en.wikipedia.org/wiki/Roman_roads_in_Britannia
Unless you mean something else, but Paris was paving roads in the 1750s, a lifetime before even the hobby-horse Draisine was invented:
https://en.wikipedia.org/wiki/Macadam#Pierre-Marie-J%C3%A9r%...
On that page it's mentioned that Macadam (predecessor to tarmac) was used in the USA in 1823 on a stretch of road of 10 miles which took stagecoaches 5 hours to pass in the winter before it was Macadamized, suggesting quite a desire for better roads a century before safety bicycles with chains were invented.
Then 'History of the bicycle' says:
"On the new macadam paved boulevards of Paris it was easy riding ... the "bone-shaker" enjoyed only a brief period of popularity in the United States, which ended by 1870. here is debate among bicycle historians about why it failed in the United States, but one explanation is that American road surfaces were much worse than European ones, and riding the machine on these roads was simply too difficult."
https://en.wikipedia.org/wiki/History_of_the_bicycle#1860s_a...
Although apparently it was a thing in the USA: https://en.wikipedia.org/wiki/Good_Roads_Movement
"The Good Roads Movement occurred in the United States between the late 1870s and the 1920s... a coalition between farmers' organizations groups and bicyclists' organizations .. Early organizers cited Europe where road construction and maintenance was supported by national and local governments."
1 reply →
And horses actually do better on dirt than on pavement.
Depending on where you live in the country mud is a certain default state.
Look at the suspension on a model T. That thing was built for the dirt wagon roads of the time. People on youtube actually off road the thing today.
sadly I'm one of those "knowledge worker" that aren't extraordinary enough to survive on my own so I have a job. And everyday when I try to login to my zero trust network my face is being scanned multiple times. And I feel the cold stare from the teenager me lol that dude would not approve such atrocity for sure. daily refresh of biometric data is just downright degrading...
I'm over "middle aged" and just accept everything as well. Same with email - who cares who has it when we have adequate filtering in this year of our lord. I've never had anything negative come of it, and I'll be surprised if anything ever does. Seems like a lot to worry about for nothing.
I had the same realization when seeing some one open up the outlook inbox and seeing a huge advert banner on the right of their screen. I had been so accustomed to using an ad blocker I realized the average person is bombarded with so much attention theft.
simple solution: go to a convenience store. Show your id, maybe 2 pieces. They frown, shrug, and give you an anonymous verification token, usable once (or maybe a set of 20), that you can then use to anonymously verify your age.
Yeah, people will sell these tokens online, but that's not the end of the world. People have bought liquor for minors who sit around the corner from the liquor store since forever. It's still a reasonable comporomise
This is a perfectly reasonable solution if the problem really is child safety. But we all know it's not. There's money in surveilance and profiling.
I saw some research awhile ago that 60% of the time, "reject cookies" is ignored.
I use chrome as “burn” browser (i only use it for non important things) and I have a dummy email that I use for signing up in everything non important as well. Perhaps this young adult was doing the same?
> the young people that are growing up conditioned to
How does the conditioning start?
> not value their personal data
Okay, but in practice how much do they do with it that isn't ad placements?
That all random game and messaging sites now wants my kids' passport uploaded to some random 'id verification company' is madness.
But now instead, my 11 year old's Roblox thinks she is 18 because she wore glasses in their age verification webcam tool. And it can't be changed unless she uploads a passport, which I will never allow.
Please, gov.uk introduce a gov ID verification service? I could trust that, -ish, I have worked with public sector clients several times...
> That all random game and messaging sites now wants my kids' passport uploaded to some random 'id verification company' is madness.
This is truly crazy. Random companies interacting on this level with children is far from ideal.
> Please, gov.uk introduce a gov ID verification service? I could trust that, -ish, I have worked with public sector clients several times...
I don't like the idea of governments collecting this sort of data either.
It's not young people it's inpatient people. My mum was happy to browse the pirate bay and demonoid and all that, where all the adverts were massive throbbing cocks and hardcore porn lining the edges of the page, just so she could torrent the latest hidden object game. She became addicted to those games and it wasn't enough for me to give her credits to buy a few more of them, and because I was her son I was the tech support who had to help her unfuck her laptop after it got loaded up with another round of viruses.
The internet has maliciously complied with most if not all regulation applied to it which is where the new mass of banners and interstitials come from but the ultimate effect is to just beat the user into submission. See the EU cookie mandate and GDPR for how badly that turned out in terms of UX (even though the accountability is well in force under the hood, so the bad UX compliance failed and those sites are just screwing themselves).
In this way, Google was initially a hero but is now just another American Big Tech entity that is too big to fail and can do whatever it wants along with Meta and Amazon, and in fact now TikTok's US entity.
I would go into source, delete the overlay, undo the scroll lock
You can just find adblocker rules for cookie banners.
Most doesn't event know what cookies too. In fact, most doesn't put extra thought into the things they are clicking/accepting on web.
Does it even actually matter what you do? How many lawsuits/investigations have there been in the last decade revealing that some company or another that swore up and down was following privacy laws, protecting your data, and not selling it actually were. I'm at the point where I figure anyone who wants to track me is, and any privacy pop-ups or the like are just for show.
Yeah it's really not worth my mental energy. Sometimes I take the time to reject tracking cookies. But I figure everyone's tracking me and everyone has my SSN at this point, and as long as my credit files are locked I don't really care. Like why do I even care if people are linking all my browsing data together and then using it to market stuff to me.
FWIW I'm 43 and grew up on the dark parts of the internet.
I prefer to have a rule in ublock that blocks all cookies notices
Are those young people really doing the wrong thing by accepting? They are getting on and solving their problem, they have probably never had any personal harm done by "some weird dark-pattern cookie trickery".
It's almost like forcing (almost) every website to add these cookie banners has desensitised people to what they're actually saying.
People are getting brainwashed into giving away information on the web and real life.
In the US it's not rare to link accounts through phone numbers that are required in web forms and store memberships.
In Chile they started asking for your National Id with so many stupid pretexts that people got conditioned into just giving it away. It wasn't like this 10yrs ago. I'd rather have membership numbers.
It's technically public information, so collecting Ids is legal, but it's also a universal primary key within the country that allows merging any user-related table you run into.
Retail says it's just to associate it with receipts in case you need that later, but I'd rather just get a photo of the printed receipt for later than rely on them to find my receipt. Supermarkets, Drug stores, and petrol stations tie it to (possible) discounts or points at check-out, which is price discrimination and it's illegal, but we are in our way to get surge pricing as soon as the new US bootlicker president begins his period next week.
Giving out the Ids directly is stupid. Any sane scheme would use unlinkable attestation.
I'm pretty old and was the same as you for about five years, but now I just tick anything, much like the young adults. If they want my info, they can have it. I've not heard a convincing explanation why I, personally, should care
The problem is most of the time - perhaps all the time - you don't need to care. However you won't know about the exception until it is too late.
I'm sure many law professionals felt the same way when we started getting bombarded with EULAs.
It's been done for about a generation or two, and that's what people don't seem to realize.
In the early aughts I was sitting in on privacy discussions that reluctantly acknowledged that regardless of what we do online, surveys showed you could offer someone at the mall a free Snickers and they'd fill out the whole form.
The perceived cost to the individual of divulging their personal data is near zero; dangling nearly any incentive in front of them will induce them to let it go. And that's not a new phenomenon.
The fact that you think declining the cookies gets you privacy is the real grift. The fact that you think you're safe from tracking because of a cookie banner
Bingo
It's not just young people. I think the above represents 98% of the people out there.
We've collectively long ago crossed over from privacy to convenience, and there's no going back. You and some of us here on HN (myself included) are the outliers.
Breaches will inevitably happen. And each time one does, it'll erode people's trust in this new world of zero-anonymity-allowed. Give it time.
Have you noticed half the internet doesn’t work if you use a vpn? Even a good vpn? Even HN wont let you create an account with a vpn. The friction applied to preventing people from deploying privacy tactics is intense. I’m not sure how we can practically resist the privacy enshittification without abandoning the internet and its convenience entirely. I’m ready to go back to paper statements and visiting my bank and writing paper checks, but I don’t think GenZ is.
I've been saying this for years. GDPR and Cookie Law were created for big corporations to legitimise data trade where before it was grey area. Now they get consent as people blindly click accept and they can make money. It was never about privacy.
If it was about privacy they would simply make all tracking and profiling opt in.
100 percent agreed
"they"... sadly indeed the damage is done, but not by "them".
Again the HN bubble, I assure that the vast majority of adults of any age are not privacy conscious.
Spot on. 99+% of those reading/making these comments use an ad blocker; 99+% of non-techies like me never have and never will.
Why would you never use an ad blocker? You like staring at billboards too?
1 reply →
That was kind of the point.
You're still relying on sites fulfilling what they promise in a world where facebook has been blatantly violating gdpr from day one and enforcement just isn't happening
Set your browser to block 3rd party cookies, add privacy badger and ublock origin. It will have more effect than clicking "reject"
I click "don't send me mail" every time I buy something. Every place I buy from still sends me spam at some point. There are no negative repercussions for them beyond whatever infinitessimal thing me clicking the "report as spam" button does
You know you can clear your cookies right?
I have no problems accepting the cookies - my browser cleans them every start.
Surely I don't use the web based services which require a login everyday in my main main browser.
But e-mail address is a hard pass, mostly on the amount of work than the anything else.
i've caught a lot of heat in the UK where i live for my position on GDPR, which is that i completely reject it, because people seem to believe it's there to protect any rights
if there's anything remotely good with GDPR is the requirement to companies to disclose known data breaches
all the rest of it is a terrible idea and only serves to nag people and legitimise the darkest of patterns
the regulation should be there to disallow companies from asking certain information, everything else regarding tracking is self-defeating as it's 1) seldom enforceable 2) hardly binding in any meaningful way 3) pushing people to concentrate their services where they have already surrendered their data 4) legitimising of dark patterns
this new and blatant step towards digital id is a hill i intend to die on, I will not comply and I will do everything in my power so that others don't have to and are even punished for doing so
GDPR has very little to do with dark patterns, nag screens, or online tracking?
> "all the rest of it is a terrible idea"
Having a legal right to ask a company for a copy of all the data they have on you is terrible?
Having a right to ask a company to correct errors in data about you, or delete data about you, that's terrible?
A company having to tell you what they intend do with data about you and stick to it for the threat of a big fine, that's bad?
you didn't get to read all post did you
there are bits, but the total package is cancer
The cookie dialog was a mistake -- this is something that should've been handled as a browser API. A standard dialog of "do you consent to cookies yes/no/functional-only" should be part of the HTTP headers.
Same thing with age verification. My kids all have devices that are managed through parental systems like Google Family Link and Microsoft Family Safety. It would be straightforward to have a header for "user is an adult" or not, and to have a standard API for "this site is requesting metadata that you haven't said to automatically make available without permission. Do you want to send it? Y/N [ ]checkbox use this for all sites.
The only time we should even be talking about full identity verification is on user-submitted content, and even then that should be up to the site (with the commensurate legal liability of hosting anonymous slop).