Look, EU, it is difficult to take you seriously when you forced all this cookie notification bullshit on us. That feature a) should not exist and b) if it did, should be a BROWSER feature not "every website in the entire world now has to bother everyone forever about this stupid thing" blog.codinghorror.com/breaking…
Breaking the Web’s Cookie Jar
The Firefox add-in Firesheep caused quite an uproar a few weeks ago, and justifiably so. Here’s how it works: * Connect to a public, unencrypted WiFi network.Jeff Atwood (Coding Horror)
This entry was edited (3 months ago)
reshared this
Cassandrich
Unknown parent • • •Perma likes this.
Perma reshared this.
Irenes (many)
in reply to Cassandrich • • •yes indeed! before we joined Internet Safety Labs, the org published a spec for how that relationship between the visitor and the company should work, in an ideal world
not because anybody is going to follow that spec unless legally required to... just because sometimes you need to make your position clear
punIssuer reshared this.
Ashley Rolfmore (leymoo)
Unknown parent • • •@dalias yeah fair. I see some progress has been made on allowing ad free meta product usage (with payment).
But the banners I think are harder to enforce because it’s just so many companies, large and small.
Cassandrich
Unknown parent • • •Paul Shryock reshared this.
Cassandrich
in reply to Jeff Atwood • • •like this
Tomas Ekeli, Perma, the kangaroo and Glowing Cat of the Nuclear Wastelands like this.
reshared this
El Duvelle, Rupert V/, Dr. Sobek, BohwaZ, Oli, Perma, stianlagstad, Tomas Ekeli, Aral Balkan, the esoteric programmer, Mab_813, Steven Heywood, Johnnyvibrant, Sam Easterby-Smith, Uwe Sinha, prtn, The Penguin of Evil, Thom, not a YouTuber, Erebus, Kim, ticho, UkeleleEric, Hamish The PolarBear, cyplo, Joe Brockmeier (@jzb), Kimberley, Paul Shryock, webhat🔜#39c3, Walter van Holst, Peter Brown, Viacheslav A, Guillaume Rischard, Seiðr, Lingüista Aburrido, Audun, Geo A., ghostdancer, FediThing, teemuki, Z̈oé ⛵ and StoneBear reshared this.
Jeff Atwood
in reply to Cassandrich • • •Cassandrich
in reply to Jeff Atwood • • •Aral Balkan reshared this.
Matthew Miller
in reply to Cassandrich • • •Here is how my company's compliance lawyers explained it to me. There aren't really EU-wide laws. There are "directives", and each individual country then passes laws that aim to meet the goals of that directive. To make sure you're compliant with all of them, it's easiest to err on risk-avoidant side, even though it is all deeply stupid.
Guillaume Rischard
in reply to Matthew Miller • • •Enno T. Boland
in reply to Jeff Atwood • • •@dalias German here: the gist of GDPR is: people must know when someone collects personal data.
You can perfectly live without a cookie banner if you don't set one for arbitrary visitors. That was the intended result. But reality instead invented this UX nightmare, because we can't have nice things.
For me it just shows how fucked up today's web actually is.
reshared this
Lord egeltje 🦔 🇪🇺 and Peter Brown reshared this.
punIssuer
in reply to Enno T. Boland • • •Newk
in reply to punIssuer • • •Donald Hobern reshared this.
Liminal witch 🧙♀️ Sarah
in reply to Jeff Atwood • • •Jeroen Baert
in reply to Liminal witch 🧙♀️ Sarah • • •@xgebi @dalias Well, the cookie banners that use dark patterns are, like this:
###
(BIG BUTTON) accept all 264 cookies
(Somewhere hidden three clicks away) reject all
###
It was recently ruled that accept and reject should be presented equally.
Koen 🇺🇦
in reply to Jeroen Baert • • •Davey
in reply to Jeff Atwood • • •What if I told you that site owners could just show a Yes/No popup instead of sending visitors down a rat maze to subdue them into data collection?
This is 100% malicious compliance and if you can't see it, you're not looking closely enough in this matter.
Signed, someone whose sites don't have popups cus I'm not invested in collecting user data.
Matt
in reply to Davey • • •Davey
in reply to Matt • • •Nik | Klampfradler 🎸🚲
in reply to Jeff Atwood • • •🪨
in reply to Jeff Atwood • • •Marcus Bointon
in reply to Jeff Atwood • • •David Monniaux
in reply to Jeff Atwood • • •lj·rk→⁽³⁹ᶜ³⁾
in reply to Jeff Atwood • • •@dalias Oh ffs, this isn't true and you should know better than perpetuating that lie.
I host multiple websites. None with cookie banners. This works even for news, e.g. @gamingonlinux -- and Liam isn't even hosting in the EU but AUS. But he, correctly, thinks that just not needing a cookie banner is exactly the right thing to do.
Liam @ GamingOnLinux 🐧🎮
in reply to lj·rk→⁽³⁹ᶜ³⁾ • • •Liam @ GamingOnLinux 🐧🎮
in reply to Liam @ GamingOnLinux 🐧🎮 • • •justJanne
in reply to Jeff Atwood • • •@dalias no, it's not required. None of the EU companies I've been at needed cookie banners, and neither do you.
There's one simple trick: just don't track users. It's even possible to run ads without tracking. Print media has done so for decades!
Joe Brockmeier (@jzb)
in reply to Jeff Atwood • • •@dalias The reaction you're having is *exactly* what ad tech companies hope for.
Their malicious "compliance" is not required by the GDPR, but that's how they've chosen to strike back at users for daring to use legislation to try to protect their data.
Cassandrich
in reply to Cassandrich • • •Glowing Cat of the Nuclear Wastelands likes this.
reshared this
Rupert V/, Steven Heywood, Erebus, Hubert Figuière, fanf42 and Paul Shryock reshared this.
Jeroen Baert
in reply to Cassandrich • • •@dalias This. All those banners tell you is "this website doesn't respect your privacy"
And there was a "Do Not Track"-flag, but respecting that was voluntary. :/
Glowing Cat of the Nuclear Wastelands likes this.
Christian "Schepp" Schaefer
in reply to Jeroen Baert • • •@jbaert @dalias 💯 this!
Also here is more about the DNT HTTP header as a refresher: en.m.wikipedia.org/wiki/Do_Not…
Ad tech started ignoring it altogether when IE10 was shipping with it enabled by default, instead of having to opt in.
proposed HTTP header field that requests web applications to disable individual user tracking
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)Thomas Michael Semmler reshared this.
Furosshu
in reply to Cassandrich • • •@codinghorror
Geizhals Preisvergleich Deutschland
Geizhals.deGerard Cunningham ✒️
in reply to Furosshu • • •Eventually an EU court will declare DNT legally binding, and there will be wailing and gnashing of teeth.
Cassandrich
in reply to Gerard Cunningham ✒️ • • •Gerard Cunningham ✒️
in reply to Cassandrich • • •Won't matter. I can add a plugin, and it clearly expressed my preference. That's enough for a Court to make a ruling.
Matteꙮ Italia
in reply to Gerard Cunningham ✒️ • • •German court bans LinkedIn from ignoring "Do Not Track" signals
Alex Ivanovs (Stack Diary)Gerard Cunningham ✒️
in reply to Matteꙮ Italia • • •@cvtsi2sd @frosch @dalias
This one?
mastodon.ie/@faduda/1145116765…
Gerard Cunningham ✒️
2025-05-15 11:45:17
Koen 🇺🇦
in reply to Cassandrich • • •Wilfried Klaebe
in reply to Koen 🇺🇦 • • •@bonno Have a look at Max Schrems' lawsuits: en.wikipedia.org/wiki/Max_Schr…
"The EU" is not a singular entity. EU laws have to be faithfully executed too. The Irish Data Protection Commissioner doesn't.
@dalias @codinghorror
Austrian author and privacy activist
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)Token Sane Person
in reply to Koen 🇺🇦 • • •Koen 🇺🇦
in reply to Token Sane Person • • •Home - Court of Justice of the European Union
CURIAToken Sane Person
in reply to Koen 🇺🇦 • • •@bonno @dalias You can't be arrested by the European police becausethere is no such thing.
In Ireland data protection is the responsibility of these guys dataprotection.ie/en/who-we-ar…
So what exactly are you talking about?
SMC | Data Protection Commission
SMC | Data Protection CommissionMatt Lewis
in reply to Cassandrich • • •It's a pity that it's now apparently so hard to make a big website without using privacy-invading 3rd-party services. It would be great if the EU dropped/replaced these, but I imagine that would involve work to keep the same functionality.
Use of cookies on our websites | European Union
European UnionDaniël Franke
in reply to Matt Lewis • • •The web is a sad state of affairs, and the EU also puts almost all tech out for public tender, like the good neoliberals they are. This means that the sites are usually built by companies that make the lowest offer and have no ideals, and have no issue with any dark patterns themselves.
That said, @dallas is fully correct that if you don't track, or only keep your data to what is deemed essential for the service you offer (for example, address if you are shipping physical goods), there is no need for an annoying banner. But the tech sector has shown many times now, that it much prefers malicious compliance than following the spirit of a law meant to curtail their horrendous practices. See also how Apple tried to remove PWAs when they were forced to allow browsers that use a different web backend.
I think the main thing the EU can be blamed for is not treating the tech sector more as an adversarial industry.
RevK
in reply to Cassandrich • • •@dalias Indeed, but I would say it was 100% entirely predictable that this would be the outcome, and so on that basis the regulations were really badly thought out.
Personally, I think some rules on this are a tad far, it makes sense for a site to have logs and track sessions - if only to improve the site or understand traffic. The bad bit is the third parties and cross site targeted ads and profiles and shite we see in the advertising industry.
Guillaume Rischard
in reply to RevK • • •Kristoffer Lawson
in reply to Cassandrich • • •Mark Koek
in reply to Kristoffer Lawson • • •ikuturso
in reply to Mark Koek • • •Kristoffer Lawson
in reply to Mark Koek • • •@mkoek @dalias tell that to the thousands of startups desperately trying to balance with a billion other things they're trying to do. That's just not a practical suggestion when the third party analytics are much faster to set up, better understood, and generally superior too than some self-hosted thing cobbled together.
As mentioned, the reality we are in today with cookie popups everywhere was 100% predictable and the regulation was thus poorly considered.
Mark Koek
in reply to Kristoffer Lawson • • •Kristoffer Lawson
in reply to Mark Koek • • •@mkoek @dalias frankly, yes. The law hasn’t changed anything of substance. Companies still use the same analytics tools. But now users are constantly nagged at, and companies have increased costs and slower go to market times as they need to faff with these things.
Perfect example of regulation that is completely misguided, and is a nuisance to almost everyone, bar a few people on Mastodon. Wrong approach.
Mark Koek
in reply to Kristoffer Lawson • • •Jeff Atwood
in reply to Mark Koek • • •Liam Proven
in reply to Jeff Atwood • • •@mkoek @Setok @dalias
“Information wants to be free; information [also] wants to be expensive.” -- Stewart Brand
craphound.com/gbbt/Cory_Doctor…
Jeff Grigg
in reply to Liam Proven • • •@lproven @mkoek @Setok @dalias
Even being the "card-carrying Libertarian" that I am, I have long said that the most fundamental errors of Libertarian philosophy are to assume that
(1) reliable information is free
[It is not. It is expensive and difficult to obtain. There's no "want" about that; it's just reality.]
and
(2) people are rational.
[Like, do I really need to explain this? Especially in the context of current politics? 🙄 ]
Jeff Atwood
in reply to Jeff Grigg • • •I agree very strongly with both of these points, there is nuance here for sure, but these two points get to the heart of the matter. 💛
p.s. I am NOT and HAVE NEVER BEEN a libertarian, for the record, because..
Samuelrod
in reply to Jeff Grigg • • •Stryder Notavi
in reply to Jeff Grigg • • •@JeffGrigg @lproven@vivaldi.net @codinghorror @mkoek @Setok @dalias Honestly, fully realising the consequences of 1 and 2 are one of the reasons I'm no longer a Libertarian - because the best way to address 1 and to a lesser extent 2 is through shared resources (public library, weather service, schools, etc) as infrastructure that we all pay for.
Suddenly having some kind of shared social obligation actually starts making sense.
Jeff Grigg reshared this.
Jeff Atwood
in reply to Stryder Notavi • • •ermo | Rune Morling
in reply to Stryder Notavi • • •@StryderNotavi @JeffGrigg @mkoek @Setok @dalias I would be curious to hear what your journey of realisation looked like?
As in: "Which problems and questions did you encounter that made you rethink your approach? And how would you explain your own journey of the mind to someone who was brought up to breathe libertarianism like a fish breathes through water?"
Jeff Grigg
in reply to ermo | Rune Morling • • •@ermo @StryderNotavi @mkoek @Setok @dalias
Personally, I was always attracted to "personal AND economic freedom," and "what (rational well-informed) consenting adults do in private is none of my business."
But, as a rationalist and computer programmer, I have to confront, daily, the issues of how costly, time-consuming and difficult it is to get reliable information, and to convey it well, for rational decision making.
—
Jeff Grigg
in reply to Jeff Grigg • • •@ermo @StryderNotavi @mkoek @Setok @dalias
It's been obvious to me that most Libertarians take for granted most of the "socialist" benefits of society, like education, health, and safety.
I've never really liked the (U.S.) Democratic or Republican parties.
And I've had to conclude that any philosophy, taken to extremes, is harmful.
So my perspective has been that "Libertarians bring some good ideas to the table that we should discuss and consider."
Jeff Grigg
in reply to Jeff Grigg • • •@ermo @StryderNotavi @mkoek @Setok @dalias
I've been told that i should join the "Green party," as it aligns better with my pragmatism.
Stryder Notavi
in reply to ermo | Rune Morling • • •@ermo @JeffGrigg @mkoek @Setok @dalias This is going to be a long and somewhat disorganised thread that I'll add to over time since there isn't really one moment or insight that lead to the change so much as it was multiple threads of observations that chipped away at different parts of the belief system in parallel over time.
But it's a worthy thing to write about, so I'll do my best to cover it.
Stryder Notavi
in reply to Stryder Notavi • • •I guess I'll start with the pandemic, because that was one of the more significant points in the journey.
Both because it showed me how many of my "compatriots" likes the freedom side of the story but weren't interested in the responsibility side of things - I find myself echoing Penn of Penn and Teller here. I had to realise that I was not the same as others who I thought I shared a cause with.
The pandemic also pushed me away from Libertarianism because the successful responses were all collective responses. There might be a theoretical individualist response that could have worked (where everyone appreciated their responsibility to others, and recognised that supporting that was also in their own enlightened best interests), but it was abundantly clear that idea was not much more than a nice thought that wound not survive contact with human nature.
Stryder Notavi
in reply to Stryder Notavi • • •@ermo @JeffGrigg @mkoek @Setok @dalias Speaking of which "Enlightened Self Interest" is worth unpacking a bit more, as it's a bit of a "load-bearing concept" within Libertarianism.
The idea here is that it's generally in your own interests to deal fairly with others, because the long term benefits of having a good relationship (or avoiding strife) outweigh any short term advantages you might gain from exploiting others.
Whilst this not bad advice, it doesn't tend to he true as often as Libertarian theory might pretend. Furthermore, it requires a wisdom and foresight that is unfortunately uncommon in the
... Show more...@ermo @JeffGrigg @mkoek @Setok @dalias Speaking of which "Enlightened Self Interest" is worth unpacking a bit more, as it's a bit of a "load-bearing concept" within Libertarianism.
The idea here is that it's generally in your own interests to deal fairly with others, because the long term benefits of having a good relationship (or avoiding strife) outweigh any short term advantages you might gain from exploiting others.
Whilst this not bad advice, it doesn't tend to he true as often as Libertarian theory might pretend. Furthermore, it requires a wisdom and foresight that is unfortunately uncommon in the general population.
Just consider some of the wealthy individuals who like to hold themselves up as poster children (or, poster man-children, as the case so sadly seems to be) of Libertarianism, such as Elon Musk. It's hard to see this principal evident in their actions at all.
(Now, one might quite fairly argue at this point that their Libertarianism is probably insincere and therefore isn't relevant - and it's a fair argument to make. However the apparent insincerity of so many of its adherents is another suitcase to be unpacked, which I'll address in a later post).
Jeff Grigg
in reply to Stryder Notavi • • •@StryderNotavi @ermo @mkoek @Setok @dalias
If you're in a small community where everyone knows you, and they communicate and coordinate well with each other, then you'd better treat them well.
But if you can "move on" and take advantage of others who don't know you well, then it the "unenlightened self interest" is to "burn your bridges and move on," for maximum personal benefit.
Stryder Notavi
in reply to Jeff Grigg • • •@JeffGrigg @ermo @mkoek @Setok @dalias Unfortunately very much the case, and it shows up in a lot of different ways in modern life.
For example, it's not uncommon to see people in the corporate world optimizing for short term results that look nice on their resume, then jumping ship to a new, better role elsewhere before the shortcuts they took become a problem.
Which also gives us situations where a corporation may take irrational actions simply because for the managers or execs involved those actions are actually rational, even if they're detrimental to their employer.
Mark Koek
in reply to Jeff Atwood • • •Jeff Atwood
in reply to Mark Koek • • •Cassandrich
in reply to Jeff Atwood • • •Jeff Atwood
in reply to Cassandrich • • •Cassandrich
in reply to Jeff Atwood • • •@mkoek @Setok When the behavior of some humans is actively hostile towards others I care about, I absolutely am going to work against that behavior, and encourage others to do so too.
Not doing that is how we got where we are. Letting bad people keep pushing norms and boundaries to do harmful things they wanted to make money doing.
webhat🔜#39c3 reshared this.
Jeff Atwood
in reply to Cassandrich • • •Open Risk
in reply to Jeff Atwood • • •dunno, imho thats overstating it. People pay for pretty much everything, either directly, or indirectly via taxes. And many of the things that are now supposed to be "free" used to be paid for (newspapers, magazines etc.) without even thinking about it.
rather than a deep homo sapiens malfunction, the issue is more of a silly mix of adtech conditioning (here, free email for your data) and publishers not gettting their act together for the digital age.
@dalias @mkoek @Setok
Greg Hills
in reply to Jeff Atwood • • •@mkoek @Setok @dalias
"Users want everything for free, forever, and content creators want to make money to feed themselves and their families"
Wait a minute. Who are the users and who are the content creators on Stack Overflow? All the content creators were users. The ones who decided to monetise that site were a third category, site owners. Their desire for income was legitimate, but don't pretend it was the downtrodden content creators crying for money for their children.
Bert
in reply to Jeff Atwood • • •@mkoek @Setok @dalias false dichotomy: there is more than the 2 extremes “free” and “personalised adds” …
There’s still the “passive advertising” choice where
advertisers/ad platforms study which sites their target audience frequently stop, and post non-tracking ad’s there.
As frustrating as cookie banners are, they are a EU symptom for a (mostly) US cause.
These are not the indignations you’re looking for …
justJanne
in reply to Jeff Atwood • • •@mkoek @Setok @dalias
As society, we've decided that some business models shouldn't exist.
You could make the same argument about root causes and money trying to find a way about many other business models society has deemed unwanted.
Of course it's a game of whack-a-mole, but that's true whether the business model is ad telemetry (aka surveillance capitalism), fake gucci bags or cooking meth.
Luckily, the tide is slowly and surely turning against telemetry driven content.
Kristoffer Lawson
in reply to justJanne • • •justJanne
in reply to Kristoffer Lawson • • •@Setok @mkoek @dalias None of those dialogs are legal.
Recent court decisions have forced even Google and Meta to add "reject all" buttons that are just as easy to click as "accept all". Some court decisions have found that if the Do Not Track header is set, the dialog should just automatically reject all.
Nag dialogs as you've described them are illegal. They only exist because crime is more profitable than doing things legally (e.g., Uber).
FediThing
in reply to Cassandrich • • •Irenes (many)
in reply to Irenes (many) • • •anyway: during our time at Google we were occasionally party to VP-level decision-making around privacy topics
we can attest, from our own direct knowledge, that tech companies habitually intentionally refuse to engage with public-policy debates so that they can later paint the laws and regulations that come out of those debates as uninformed by industry realities
Perma likes this.
reshared this
Paul Cantrell, punIssuer, Rupert V/, Perma, rakoo and Steven Heywood reshared this.
Irenes (many)
in reply to Irenes (many) • • •that sort of bullshit was a lot of why we now work in civil society, instead.
the industry claims that self-regulation is the appropriate model, but then refuses to be held accountable by its own internal processes (which we were part of). therefore, change must be driven from outside the system rather than within.
Ed
in reply to Jeff Atwood • • •Jeff Atwood
in reply to Jeff Atwood • • •javier
in reply to Jeff Atwood • • •Jeff Atwood
in reply to javier • • •scy
in reply to Jeff Atwood • • •@javier Websites that don't use cookies are not involved. Neither are websites that only use cookies that are _required_ for the website to function, e.g. session tokens.
It's only when you'd like to use cookies to track users and deliver personalized ads that you have to deal with this stuff.
It's a choice.
Most websites simply don't choose the privacy-friendly option.
reshared this
Le Néandertal se sent las, las, Rupert V/, Dr. Sobek and el Celio 🇪🇺 🇺🇦 reshared this.
fedithom
in reply to scy • • •THIS!
@codinghorror @javier
Claudius
in reply to scy • • •one of the big problems nobody talks about: tech is largely only explained by entities who have no incentive to explain it *well*.
Google, Meta, large ad networks are all like "stupid EU makes us do Cookie banner".
While the actual regulation is actually pretty good. The regulation is basically "don't fuck around with user data. But if you do, you at least need to tell the user".
reshared this
Eugene Alvin Villar 🇵🇭, Davey and WearyBonnie reshared this.
JdeBP
in reply to scy • • •@scy @javier
And tell themselves the comforting lie that it is the E.U. forcing them to do this.
#EULaw
Veronica Olsen
in reply to JdeBP • • •@JdeBP They peddle this bullshit very deliberately. Far too many users believe it's the EU's fault, when it is the predatory tech industry.
@scy @codinghorror @javier
Dec [{()}]
in reply to Veronica Olsen • • •Most people would expect someone like @codinghorror to know better.
So why didn't you know better, @codinghorror ?
taziden
in reply to Jeff Atwood • • •@javier
Hamish The PolarBear likes this.
reshared this
Hamish The PolarBear reshared this.
Zenie
in reply to Jeff Atwood • • •I love that you don't like it.
Stop tracking people. Problem solved.
Tracking is not necessary. It is immoral.
It is tracking that ruins the internet, not cookie notices.
reshared this
Aral Balkan and Mr B reshared this.
Världens bästa Kille™
in reply to Zenie • • •@Zenie Funny thing: From a marketing standpoint all that tracking is useless.
It’s good for selling ad space, but worthless for making ads. True story.
Don Marti
in reply to Världens bästa Kille™ • • •@thelovebing @Zenie GitHub managed to get to a compromise: cookie banners only on content for "marketing to enterprise users" but don't hassle most users on most pages github.blog/news-insights/comp…
(EU law requires consent to be "freely given, specific, informed and unambiguous" and nobody knows enough about today's surveillance business practices to do that in most places, so it's an open question how long these will work anyway. Depends on status of the EU/USA trade war I guess)
No cookie for you - The GitHub Blog
Nat Friedman (The GitHub Blog)Aral Balkan
in reply to Jeff Atwood • • •Lori M Olson
in reply to Jeff Atwood • • •So? Stop with the malicious compliance. Fixed!
mastodon.ar.al/@aral/115122589…
Aral Balkan
2025-08-31 09:08:32
So? Stop with the malicious compliance. Fixed!
mastodon.ar.al/@aral/115122589…
Aral Balkan
2025-08-31 09:08:32
mhoye
in reply to Jeff Atwood • • •Donald Hobern reshared this.
luap42 soon at a 39c3 near you
in reply to Jeff Atwood • • •Jeff Atwood
in reply to luap42 soon at a 39c3 near you • • •Marcus Müller
in reply to Jeff Atwood • • •@luap42 the donottrack header is exactly that at the browser level; if it's set no need to ask the user about consent they're explicitly denying. For non-tracking, i.e., technically necessary (auth,user settings) cookies, that banner is not necessary
the browser setting exists, it's not honored by website operators, which choose to show banners instead, and is being torpedoed by google, who is earth's dominant ad network and browser supplier.
the EU (in that case) isn't at fault.
Nik
in reply to Jeff Atwood • • •reshared this
Rupert V/, BohwaZ and Ayo reshared this.
Irenes (many)
Unknown parent • • •Ashley Rolfmore (leymoo)
in reply to Irenes (many) • • •Irenes (many)
in reply to Ashley Rolfmore (leymoo) • • •Ashley Rolfmore (leymoo)
in reply to Irenes (many) • • •@ireneista @dalias yep, pretending I had no ethics, thats how I’d do it.
I am much happier helping build software in industries where they accept regulation is necessary. Turns out people are keen on trains not smashing into things, ships staying afloat and not on fire, and money arriving in the correct account.
Irenes (many)
in reply to Ashley Rolfmore (leymoo) • • •Irenes (many)
Unknown parent • • •Irenes (many)
Unknown parent • • •yes. after leaving the company, we did a few years of soul-searching, and part of what we were asking ourselves was: do we still believe in that dream, of making a better world in part by actually making stuff?
we concluded that we do, but that the dream itself is grievously wounded and needs our help.
William Oldwin
in reply to Jeff Atwood • • •reshared this
Le Néandertal se sent las, las, Lord egeltje 🦔 🇪🇺, Dr. Sobek, BohwaZ, C++ Wage Slave and Jesper 🇩🇰 reshared this.
William Oldwin
in reply to William Oldwin • • •As for why this isn't a browser feature, it was and is! It is a *choice* by your industry to disregard this, by ignoring DNT and not implementing GPC in major browsers. Did your site honour DNT? Does it honour GPC in places where it is not legally obliged to?
developer.mozilla.org/en-US/do…
globalprivacycontrol.org/
Global Privacy Control — Take Control Of Your Privacy
globalprivacycontrol.orgreshared this
Le Néandertal se sent las, las, Djoerd Hiemstra 🍉 and Ayo reshared this.
jonny (good kind)
in reply to William Oldwin • • •older
in reply to jonny (good kind) • • •FreediverX
in reply to older • • •@older @jonny @willegible
A reminder that billionaires shouldn’t exist.
Blurry Moon
in reply to jonny (good kind) • • •jonny (good kind)
in reply to Blurry Moon • • •GDPR/ePrivacy doesn't require consent for first-party strictly necessary cookies like that. Cookie banners are a retaliatory measure taken by the ad industry to make people complain about the regulations - looks like it worked!
Blurry Moon
in reply to jonny (good kind) • • •jonny (good kind)
in reply to Blurry Moon • • •I'm certainly not saying the laws are perfect, but maybe this is a bad example since YouTube is such an aggressive tracker. Seems like alternatives would be just link to YouTube or embed video directly.
populus mental
in reply to Blurry Moon • • •Blurry Moon
in reply to populus mental • • •what is the telos of a video site
Well for YouTube it is to make money by showing ads on videos so why do you even need a consent banner where the value proposition is that you watch ads to get free videos. I actually like think if it made sense you wouldn’t have the banner on anything ad supported because you are the product to advertisers. If tracking consent made sense you’d only see it on sites where it’s not obvious they are monetizing your data
jonny (good kind)
in reply to Blurry Moon • • •@lebronjames75
It is pretty far from obvious to everyone that YouTube is an ad surveillance platform, unfortunately. A standard that relied on "whether a reasonable person would know they are being tracked or not" sounds like a way worse compliance burden.
gok
in reply to William Oldwin • • •Djoerd Hiemstra 🍉
in reply to Jeff Atwood • • •Don’t blame the EU. Respect
DNT: 1
en.wikipedia.org/wiki/Do_Not_T…
proposed HTTP header field that requests web applications to disable individual user tracking
Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)reshared this
Djoerd Hiemstra 🍉, El Duvelle and teledyn 𓂀 reshared this.
Robert Riemann 🇪🇺
in reply to Djoerd Hiemstra 🍉 • • •@djoerd
Hi! Nobody stops the industry to comply through different means, it's just that the industry was mostly not so much interested and invested instead more in #DeceptiveDesign #DeceptivePattern.
forbrukerradet.no/side/compani…
arxiv.org/abs/1909.02638
#DNT #GDPR #Cookies
Companies use design to take our time, money and personal data
Øyvind Kaldestad (Forbrukerrådet)Kuba Orlik reshared this.
aliceif
in reply to Djoerd Hiemstra 🍉 • • •Djoerd Hiemstra 🍉
in reply to aliceif • • •Djoerd Hiemstra 🍉 reshared this.
Jorge Salvador Caffarena
in reply to Djoerd Hiemstra 🍉 • • •reshared this
Armin Hanisch and El Duvelle reshared this.
G. Wozniak
in reply to Irenes (many) • • •Irenes (many)
in reply to G. Wozniak • • •Kuba Orlik
in reply to Jeff Atwood • • •hey, EU doesn't force cookie banners on websites. Just... don't track your users with third party scripts and no consent mechanism is necessary then.
For context: I work as a website GDPR compliance auditor
reshared this
GunChleoc, LillyLyle/Count Melancholia and Charles West reshared this.
Kuba Orlik
in reply to Kuba Orlik • • •if you only use cookies for loggin users in, you don't have to gather consent beforhand or have any dismissable popup.
The popup is a made-up requirement by the ad industry
Kuba Orlik
in reply to Kuba Orlik • • •GunChleoc
in reply to Kuba Orlik • • •@kuba The one mistake that the EU has in the regulation is to strictly outlaw dark patterns, but id I remember correctly they did push that the decline option has to be as easy as the accept option. Compliance is still somewhat iffy though.
Speaking of browser implementation, vendors could simply have used the already existing "Do Not Track" option to comply and made a little footer with an explanation on where to set it if people haven't opted out.
Kuba Orlik
in reply to GunChleoc • • •@gunchleoc
> The one mistake that the EU has in the regulation is to strictly outlaw dark patterns,
How is this a mistake?
> but id I remember correctly they did push that the decline option has to be as easy as the accept option.
Currently it's not strictly enforced by law afaik
Fazal Majid
in reply to GunChleoc • • •No. The mistake was not allowing individuals to sue and collect damages, only Data Protection Authorities, and letting the DPA of the company to consolidate cases. Since most Big Tech companies EU presence is incorporated in Ireland, the Irish DPA is it and it has a track record of malicious compliance, as if it thinks its job is to promote Ireland as a HQ venue for foreign companies, not to defend the privacy of Irish and EU citizens. The EU fixed this in the DSA and DMA, but have not retroactively fixed it for GDPR enforcement.
noyb.eu/en/eu-court-irish-dpc-…
EU Court: Irish DPC must investigate noyb complaint
noyb.euVeza85UE reshared this.
GunChleoc
in reply to Fazal Majid • • •@fazalmajid That's definitely a big problem. The Irish DPA won the Big Brother Award for good reason.
@kuba @codinghorror
Fazal Majid
in reply to GunChleoc • • •Kuba Orlik
in reply to Fazal Majid • • •@fazalmajid @gunchleoc
> This is more likely to come from California than from Europe.
Why do you think this would be the case?
Fazal Majid
in reply to Kuba Orlik • • •Kuba Orlik
in reply to Fazal Majid • • •Fazal Majid
in reply to Kuba Orlik • • •William Oldwin
Unknown parent • • •William Oldwin
in reply to William Oldwin • • •Robert Berger
in reply to Jeff Atwood • • •Except you want to sell visitor data...
BohwaZ
in reply to Jeff Atwood • • •mhoye
in reply to Jeff Atwood • • •True, but my point remains. This shitty experience we're collectively having here this isn't "the EU forcing cookie notification on people", it's "the malicious compliance of companies that profit from user tracking."
Every company that shows you an cookie popup has made the choice to put a few fractions of pennies of possible future profit ahead of your experience.
gdpr.eu/cookies/
Cookies, the GDPR, and the ePrivacy Directive - GDPR.eu
Richie Koch (GDPR.eu)reshared this
Nicolas Hoizey, Rainer Müller and Hubert Figuière reshared this.
BohwaZ
Unknown parent • • •@willegible
Koen 🇺🇦
in reply to Cassandrich • • •Jonathan Downie
in reply to William Oldwin • • •Koen 🇺🇦
Unknown parent • • •Ashley Rolfmore (leymoo)
in reply to Cassandrich • • •@dalias We got decent progress on encouraging https by mainstream browsers soft blocking http.
I can see a route where:
- html (new version) has some sort of header “data collected” statement with categories
- browsers can flag or not depending on personal settings
- browser defaults encourage broadly decent behaviour from companies or risk getting soft blocked for the general population.
Osma A 🇫🇮🇺🇦
in reply to William Oldwin • • •@willegible @codinghorror
Koen 🇺🇦
in reply to Koen 🇺🇦 • • •GunChleoc
Unknown parent • • •Koen 🇺🇦
in reply to Koen 🇺🇦 • • •Bluebabbler
in reply to Jeff Atwood • • •2. Tech companies instead of complying threaten to turn tables and take away services from citizens.
3. Citizens instead of getting angry at tech companies complain about institutions.
4. Citizens realise too late that they have no rights.
Cassandrich
Unknown parent • • •@lispi314 @leymoo They may be well-intentioned* but they're not well-designed or doing everything right. They're tracking visitors without their consent.
* Normally I would not even call this well-intentioned, but as I said upthread, the fact that every web framework *automatically sets session cookies assuming you want to break the law and track users* even when the user has not indicated that they want to do something like log in or store a shopping cart, means a lot of people *don't even know they're doing it*. But this doesn't excuse it; it just makes them "well-intentioned".
Jeff Atwood
Unknown parent • • •Cassandrich
Unknown parent • • •Jeff Atwood
Unknown parent • • •LisPi
in reply to Ashley Rolfmore (leymoo) • • •> But the banners I think are harder to enforce because it’s just so many companies, large and small.
Why not use the fines to fund more enforcement?
Santaji
in reply to Jeff Atwood • • •Fazal Majid
in reply to Santaji • • •it exists, it's called Global Privacy Control:
globalprivacycontrol.org/
It's basically the same thing as Do Not Track, but legally binding this time. California has already adopted it (loeb.com/en/insights/publicati…), but sadly not yet the EU. But passing laws does nothing if it is not followed with robust enforcement.
Global Privacy Control — Take Control Of Your Privacy
globalprivacycontrol.orgKoen 🇺🇦
Unknown parent • • •Michał Kawalec
in reply to Koen 🇺🇦 • • •@bonno
Note that the restrictions and enforcement here is not on the fact of having session cookies at all. You can store as many session cookies as you wish, the purpose of using these cookies is the crux of the matter.
As long as the cookies are essential for functionality of the service, you can use them without any banners whatsoever.
@leymoo @dalias @codinghorror
fedops 💙💛
in reply to William Oldwin • • •🪨
in reply to Jeff Atwood • • •There is a very simple way to respect GDPR without a cookie banner: don't use cookies for your 256 "partners" that syphon all user interactions by default, and make functional but optional cookies opt-in on the elements they require (for instance, a Google Maps element can be unloaded by default and have a small text with a button on it, explaining that it requires consent to send data to Google).
So really, the only thing that shouldn't be taken seriously regarding cookie notifications is the good will of web developers.
Davey
in reply to Jeff Atwood • • •If it only it was possible for websites to exist without tracking the shit out of every user.
But no, these evil popups which the EU definitely said every site must have stand in the way of the newsletter sign-up popup, the three overlaid autoplaying videos, the half screen ads, and the push notifications popup that we're all just dying to see.
Wait no you can just not treat visitors like a commodity to be shopped around. Because that's gross.
🌈☔🌦️🍄🌱🍉
in reply to Jeff Atwood • • •Yes it should be a browser feature. But no, this blame is not with the EU. They just require consent if you do overt user tracking. Even if you would want advertising, this form is toxic as fuck and enough sites do the invasive tracking without advertising.
There is a related browser feature that helps here: the do not track header. If you honor that, you do not need to show a cookie banner when set.
Eric Vitiello
in reply to Jeff Atwood • • •Jernej Simončič �
in reply to Eric Vitiello • • •I do agree that EU not requiring adherence to Do Not Track was a missed opportunity.
dusoft
in reply to Eric Vitiello • • •Fazal Majid
in reply to dusoft • • •@dusoft @pixel mine does, Vivaldi
You can test yourself at global-privacy-control.vercel.…
Global Privacy Control — Interacting With The GPC Signal
global-privacy-control.vercel.appJordan Maris 🇪🇺 🇺🇦 #NAFO
in reply to Eric Vitiello • • •StarkRG
in reply to Eric Vitiello • • •@pixel
Everyone should install Privacy Badger from the @eff
privacybadger.org/
You can also disable cookies more broadly or set your browser's security higher, though that can sometimes break things that you don't want broken.
To be honest, though, privacy badger and ublock manage to disable most tracking without breaking anything else, even if those notices continue to pop up. Turning on the Do Not Track browser functionality can actually make you easier to track.
Privacy Badger
Electronic Frontier FoundationJeff Atwood
in reply to Cassandrich • • •Expertenkommision Cyberunfall
in reply to Jeff Atwood • • •Joris Meys
in reply to Jeff Atwood • • •nah. The EU didn't "force the cookie notice" on anyone. It just requires that if you track people, you need their consent. If data brokers choose to make the most hideous dark patterned interfaces for that, then that's on them.
Tracking people without their consent is called stalking. You sure you want to defend that?
Daniel Schildt
in reply to Irenes (many) • • •Irenes (many)
in reply to Daniel Schildt • • •Irenes (many)
in reply to Irenes (many) • • •Daniel Schildt
in reply to Irenes (many) • • •Irenes (many)
in reply to Daniel Schildt • • •Davey
Unknown parent • • •those points I can agree with, but it was the industry that decided something which is a privacy disaster was a cool and normal solution to this.
And any time people are asked, overwhelmingly they hate being tracked for targeted advertising, in the US or the EU.
And now ad revenue has gone off a cliff anyway thanks to AI scrapers, so I dunno, maybe it was an evolutionary dead end when every hot B2C start-up always settled on targeted advertising. So much for innovation, like.
Ashley Rolfmore (leymoo)
in reply to Irenes (many) • • •Irenes (many)
in reply to Ashley Rolfmore (leymoo) • • •Irenes (many)
in reply to Irenes (many) • • •Daniel Schildt
in reply to Ashley Rolfmore (leymoo) • • •It's the problem with lobbying: very few highly skilled people have enough free time to help decision makers without getting paid for the advice. It would help if leaders would pay for the advice of professionals, but somehow that is seen as a bad thing in the public sector (as a "waste" of tax money).
And people who mainly work in the consulting industry have gotten so used to fulfilling almost any requests from their customers that it's incredibly difficult to find consultants who would be willing to promote ethics and safety (without increased risk of losing their own jobs for keeping people's digital safety in mind).
Irenes (many)
in reply to Daniel Schildt • • •René Seindal
in reply to Jeff Atwood • • •My web sites don't have cookie popups because they don't track people.
They're not obligatory. Just respect people's privacy.
Davey
in reply to Davey • • •Stéphane Bortzmeyer
in reply to Jeff Atwood • • •Sorry, but this is bullshit US propaganda. There is no obligation to have a cookie banner (my blog does not have one, for instance), even if you use cookies (a lot of important uses, such as logging in and out are excluded).
#factChecking
Armin Hanisch reshared this.
webhat🔜#39c3
in reply to Jeff Atwood • • •Token Sane Person
in reply to Koen 🇺🇦 • • •FreediverX
in reply to Jeff Atwood • • •Augier (fr & en) 🇵🇸🇺🇦☭🏴
in reply to Jeff Atwood • • •GDPR never mandated cookie banners. GDPR mandated user consent. There was a browser feature for that: the DNT HTTP header. That header was deprecated because nobody respected it. It was just easier to enforce user consent through cookie banners and dark patterns.
Nothing here is EU's fault. You want a better option? Campaign for a legislation to enforce the website to respect DNT.
Or… Just don't track?
Augier (fr & en) 🇵🇸🇺🇦☭🏴
in reply to Augier (fr & en) 🇵🇸🇺🇦☭🏴 • • •reshared this
Kevin Russell and Roberto Guido reshared this.
Världens bästa Kille™
in reply to Jeff Atwood • • •I published my business’ site this Friday. No cookie consent necessary.
It’s all a matter of what cookies you (don’t) use.
Aurelian Dumanovschi
in reply to Jeff Atwood • • •"Encrypting everything just to protect that one lousy cookie header seems like a whole lot of overkill to me.
I’m not holding my breath for that to happen any time soon, though. "
Looks like you were wrong about both this and the GDPR cookies.
Jeff Atwood
in reply to Aurelian Dumanovschi • • •hambier
in reply to Jeff Atwood • • •@aurelian ublock origin has specific rules to filter them out. It works wonderfully on the desktop and on mobile. (Firefox/Linux and Firefox/Android)
That is the browser-based solution you're asking for.
(Without it the web is indeed unusable but put the blame where it is due ffs.)
Guillaume Rischard
in reply to hambier • • •Consent-O-Matic - Chrome Web Store
chromewebstore.google.comMarcus Bointon
in reply to Jeff Atwood • • •zrb
in reply to Marcus Bointon • • •the fact that most frameworks with a cookie opt-in popup will remember your decision ONLY if you click "accept all", but if you click "reject all" they popup again and again, is clearly indicative of the dark pattern the data collector wishes the user to fall into.
It's likely that they excuse this behavior by saying some variation of "but if the user rejects all cookies then we can't store the fact that they rejected all cookies, and we'll have to ask them again next time" which is bullshit because they're ABSOLUTELY storing OTHER basic information about that user, they just choose not to store this. The only lasting solution to eliminate opt-in popups is to not be tracking user information in the first place.
reshared this
Paul Shryock reshared this.
Jeff Atwood
in reply to Jeff Atwood • • •Paul Grave
in reply to Jeff Atwood • • •Veronica Olsen
in reply to Paul Grave • • •Jesse
in reply to Jeff Atwood • • •complain to the site, it's not the EU's fault.
I'm still amazed that all the UI/UX people have allowed sites to continue to have this bad UX.
Davey
in reply to Jesse • • •Kuba Orlik
Unknown parent • • •GunChleoc
in reply to Kuba Orlik • • •@kuba Nobody said that it could? 😕
That's what blockers like UBlock Origin are for.
@WeirdWriter @codinghorror
Gytis Repečka
in reply to Jeff Atwood • • •Jordan Maris 🇪🇺 🇺🇦 #NAFO
in reply to Jeff Atwood • • •Jez 🍞🌹
in reply to Irenes (many) • • •Irenes (many)
in reply to Jez 🍞🌹 • • •gadgetoid
in reply to Jeff Atwood • • •Kuba Orlik
in reply to GunChleoc • • •GunChleoc
in reply to Kuba Orlik • • •@kuba The browser can't police the sites, the sites need to respect the DNT setting in the browser - which they don't, using obnoxious cookie banners instead.
So, the consent decision was implemented at the browser level, the websites just ignore it.
@WeirdWriter
Kuba Orlik
in reply to GunChleoc • • •Leeloo
in reply to Koen 🇺🇦 • • •@bonno @dalias@hachyderm.io @leymoo @codinghorror
The problem is more that the EU makes the law and then leaves enforcement to the member countries.
As a result you get countries like Germany and France handing out big fines, and countries like Denmark where the data protection authority doesn't have enough staff to do anything more serious than a somewhat harshly worded letter, and politicians who refuse to spend more money on said data protection authority even though a few of those 2 billion EUR fines could pay for a lot of the stuff we "can't afford anymore".
Tyler Smith
Unknown parent • • •@dalias @lackthereof @pgcd @leymoo
That's what advertising is for. Is it no longer possible to do advertising without surveillance?
Reverting to advertisements based on the content of a page, rather than who is viewing it, would also make it easier to break Google's stranglehold on the web.
And maybe it's time to stop promising everything can be free forever. That's the first lie that enshittification is built on.
Jeff Atwood
Unknown parent • • •Cassandrich
Unknown parent • • •@lackthereof @pgcd @leymoo Maybe we're going by different definitions of "session". It sounds like you think it's a short-lived thing that disappears when you terminate the browser. Which, even if that were the definition, would still mean it... never disappears. Most of us have browser "sessions" 10+ years old. Mobile doesn't even have a sense of terminating the browser.
The definition I'm going by is an identifier, regardless of lifetime, that establishes distinct HTTP requests as originating from the same browser. There is no "strictly necessary" reason to do this unless the purpose of the site is maintaining a stateful interaction with the user. If the visitor is just reading your site, there is no legitimate business interest in knowing whether the load of page A and the load of page B came from the same person.
The Lack Thereof
Unknown parent • • •@dalias @pgcd @leymoo
under GDPR, session cookies as normally understood meet the definition of "strictly necessary" and do not require explicit consent
If your session cookie is persistent, it's not a session cookie anymore. Not persisting from one browser session to another is kind of a defining characteristic of a session cookie.
Cassandrich
Unknown parent • • •@pgcd @leymoo Nope, a session cookie is tracking. It enables processing data on you like "the same person who looked at products A, B, and C yesterday bought products C and D today". Likewise choosing what to show you based on that profiling. It might also reveal things about you to other ppl you share a computer with like "somebody using this computer was looking for information on contraceptives or HRT" etc.
Session cookies are unlawful tracking unless you consented to it by logging in to the site with the understanding and intent that you have a persistent profile and what that profile will be used for was made clear.
pgcd
in reply to Cassandrich • • •@dalias
Session cookies in themselves are fine - no PII involved and no third party tracking. If you only set one of those you don't need consent, the same way you don't need to consent to set a "no cookies consent" cookie
@leymoo @codinghorror
pgcd
in reply to Tyler Smith • • •@plantarum
Also, contextual advertising is more effective according to at least one publisher (can't search now, sorry).
I'm pretty sure Doctorow wrote extensively about it.
@codinghorror @dalias @lackthereof @leymoo
Jonas Høgh
in reply to Jeff Atwood • • •dragonfrog
in reply to Jeff Atwood • • •the EU didn't force cookie consent pop-ups, it forced consent pop-ups *if the cookies are used for third party surveillance*.
The obnoxious behaviour isn't the pop-up it's the surveillance. The pop-up just makes the obnoxious behaviour visible. If website owners don't want to be seen to be obnoxious, they used to be able to choose to hide what they were up to, now they must choose not to be obnoxious.
That's a good thing.
Gregory
in reply to Jeff Atwood • • •Jeff Atwood
in reply to Gregory • • •Gregory
in reply to Jeff Atwood • • •then the plan needs to be reconsidered based on how it was interpreted. Regulate the way these consent forms should look, how much space they can occupy, how much functionality should be still available to a user who ignores the thing, etc. Something akin to tobacco packaging laws.
The long-term solution would be to abolish support for third-party cookies in browsers, but that's hard considering all of them are either owned or heavily influenced by an interested party, Google.
:thonk:
in reply to Gregory • • •website gives cookie popup?
IP gets nuked.
Simple
@grishka
@codinghorror
Gregory
in reply to :thonk: • • •:thonk:
in reply to Gregory • • •@grishka