Comment by vouwfietsman
2 days ago
> So you like the law, but don't like how it didn't actually solve the problem it was trying to solve?
(Not the person you replied to)
I'm not sure where all of this is coming from, the law is actually extremely obvious and useful: you want to track people, they have to be informed, and have to consent. The law says nothing about how, and the way it was implemented was entirely up to the corporations discretion, which of course opted for the most malicious terrible way to do it, but they did it.
The purpose of the law was that people should be informed about cookies being installed and consent to that happening.
Do you feel like people are now aware that cookies are being installed, more so than before the banner? Do people understand that they are consenting to this?
That is the law at work.
Everything above and beyond that is nice to have, and I'm sure the world would be better for it, but without the EU, people probably wouldn't even know what cookies were, let alone understand (or have control over) how they are being tracked.
If that's not a net positive in a world where net-negatives happen every week, I don't know.
> Do you feel like people are now aware that cookies are being installed, more so than before the banner? Do people understand that they are consenting to this?
> That is the law at work.
The problem is that's not what anybody, including the users, want. Nobody cares that browsers have cookies as an implementation detail. It's a ridiculous thing to use as the basis of a privacy rule. Does the user care that the site uses cookies to implement a shopping cart feature? Does the user not care that the site is tracking them without cookies using device fingerprinting? Cookies were never the problem.
On top of that, they were the thing the users already had control over. Browsers allow you to delete or reject cookies, provide private browsing modes that don't submit them, etc.
Meanwhile the things that would actually be useful, like prohibiting services from requiring the user to provide a phone number (a de facto cross-service cross-device tracking ID) in order use the service, or requiring device attestation (which uniquely identifies the device), are left unaddressed.
I am eagerly awaiting your grassroots campaign to define legislation that would tackle such uses, and also eagerly awaiting it backfiring because of malicious compliance.
Malicious compliance is a result of incompetent drafting. It's common because incompetent drafting is common, case in point GDPR. It's definitely possible to screw it up less than that -- there are many laws that nobody complains about.
You pass a law prohibiting any entity from conditioning the use of their service on the user providing them with a phone number. Even services that actually use SMS or voice calls are required to provide an alternative like email or the web with no reduction in functionality and for no additional cost.
You pass a law stating that any device which is sold or leased to anyone who takes physical possession of it cannot contain a private key the customer is unable to both read and extricate at no cost.
What does malicious compliance look like there? Anyone can give them an email instead of a phone number and if that doesn't work they're in violation. Remote attestation is the only reason for devices to come from the factory containing an inaccessible private key, which is thereby prohibited and unable to be used as a tracking ID.
Cookies are not the basis of the law, which is about tracking in general, abstracted from the exact means and implementation details.
The law contains some ridiculous language about storing data on the user's device, which applies to cookies in particular even though that category in general makes no coherent sense, because the thing that should matter is if you can identify the user/device, not whether you used something in the shape of a cookie to do it.