My spouse will sometimes mention in conversation with others that I invented the cookie. This always puts me on the spot, and I have to enter into a long explanation of the what and the why of cookies least they believe that I some sort of evil software hacker. (Now for a short explanation so that HN readers don’t think that I’m an evil hacker: I invented them, with the help of a colleague, while at IBM where we were designing a distributed file system. This was before the advent of the World Wide Web.)
Better question here is, why is this not handled through the browser instead of relying on individual web apps to do it.<p>Block third party cookies by default, delete other cookies on the last tab or window closed and prompt user to save cookies on a form submit ("do not delete cookies for this domain when leaving" type of prompt, for pages with logins, settings, etc).<p>Also remove features that make easy fingerprinting possible, the site doesn't need to know every font I have installed, just have a "standard set" included with the browser, and use web fonts or whatever for other fonts.
Someone should do a talk a la "Birth and Death of Javascript"[0] on the topic of cookies. What started nearly 30 years ago as a crude means of storing state over a stateless protocol spawned an entire industrial ecosystem around systematically tracking and spying on internet users. Take a step back and it's an insane journey.<p>0 <a href="https://www.destroyallsoftware.com/talks/the-birth-and-death-of-javascript" rel="nofollow">https://www.destroyallsoftware.com/talks/the-birth-and-death...</a>
I have switched one of my sites to cookieless analytics and it is bad for everybody.<p>I can't even say how many users this site has now. It could be the same user coming back over and over. Or many users. How would I know.<p>Yes, I could track a ton of stats about every pageview like user agent, screen resolution etc and then try to stitch it back together. Trying to figure out how many different users there are. But this type of "stitching together" would probably also count as PII.<p>I cannot test new features and see if it makes users happy so they come back more often.<p>I cannot see if the site has issues on some hardware, software, language. Because I wouldn't see if users affected come back less often.<p>I can't test if an introduction text at the beginning helps users discover important features. Because I can't make the connection between showing the text early on in the user journey and usage of features later on. Because I can't see a user journey.<p>This is a site I run for the enjoyment of me and the other users. Probably a few thousand a month. And I can say the site was much easier to develop with a normal cookie approach to tracking. I have gone the cookieless way for about a year now. And I can say with certainty that it would be a better site now if I kept the cookie approach. When the developer flies blind, that's bad for everybody.<p>I think for a commercial site, where a degradation of 10% in user experience can tank the business, there is no way around cookie tracking to figure out what works for users and what doesn't.<p>This is another reason, why European internet companies do not stand a snowball's chance in hell to compete with their US competitors.<p>European companies need to bug <i>all</i> users and beg for cookies. While US companies only need to do that with their European users.
94% don't want tracking... and the remainder 6% of responses can be attributed to the lizardman constant<p><a href="https://gwern.net/note/lizardman" rel="nofollow">https://gwern.net/note/lizardman</a>
Because no one wants to give up the data, and the revenue that comes with it. They just annoy the hell out of the users until they cave in and just accept it. Since it’s a law and every website has to do it, there is no competition to think of. It’s a no brainer
"We value your privacy" is usually a true statement about the monetary value a company places on exploiting your privacy, masquerading as a moral value statement.
I recently tried to disable the consent to share my data with external companies on one website.<p>There was "accept all" and "manage" buttons, and under the "manage" button there were 100s (yes, multiple 100s) of sites listed, each with consent on by default, and to disable everything I had to manually scroll through it all and click on each item.
My main problem is cross website tracking. I don't really have a problem with a website keeping track of all my visits to that particular website.<p>I think it works similar in real life as well. You don't mind if a store clerk recognises you coming back to a shop. But you would be kind of creeped out if he also knew where and when you last visited your dentist.
I'm more curious about the question of 'who wants free content'.<p>Because that's really the question here. Would I prefer everything in my life was free with no strings attached? Obviously.<p>But youtube/news/reddit/facebook/literally any website needs to make money somehow, and non tracked ads pay rediculously lower amounts(90+%). So the real question is, would you trade what is essentially anonymous tracking (literally no one at Google gives a damn who you are, it's just a unique id fed into an algorithm) for content, or would you rather pay for each and every site on the internet?
The model of regulation-compliance is this. It's not really about the specifics. Consent, privacy, kyc... Those may be initial motives for regulation, but by the time these exist in the world, they are a set of standard, rigid "compliance" protocols.<p>From formulation stage, it allows two parallel realities. One in which "consent" or whatnot have an intuitive meaning. Politicians and activists live here. One in which "consent" is a specification for a compliant "3rd party solution." Businesses live here.<p>Once functional, the bank, website or other complying business can claim the rules were made up by the regulator, and the regulator can either claim to be successful or blame businesses for problems. Being unremarkable, by copying or using 3rd party comliance plugins is more important than respecting the regulation's intent.<p>By the time consumers are affected, "consent" has a technical specification. It no longer has much actual meaning.<p>Think of the hoops, paperwork, informed consent signatures and such that you deal with at a bank. All those things had some regulatory logic behind them initially. Employees at the bank think this is government-required paperwork. What it is is compliance.
FTA:<p>> “We value your privacy…”<p>There's a special place in hell for the originators of this Orwellian triple-speak. Three meanings overlapped: meant to give users the impression that "we <i>respect</i> your privacy" or "we <i>protect</i> your privacy"--but it doesn't say that. It says they <i>value</i> your privacy, which is literally true; they're happy to put a dollar amount on it and sell or mine it, because it's <i>of value to them</i>. That's two true senses; one inferred and one real. But the second gives rise to the third, Orwellian meaning: these people actually don't value your privacy at all. It's a <i>lie</i>, pure and simple. A special kind of lie that has such a flippant, corporate-speak, technically-accurate dry meaning that is meant for a court of law--it holds up when lawyers start arguing long technicalities before a judge--but just one level deeper it is despairingly careless and dystopian.<p>When I see this phrase I just know I don't want whatever it is these people are going to do with my data. They benefit and I don't.
As a successor of Do Not Track, there is Global Privacy Control (GPC) [1]. Sites must respect it by law in California. An increasing number of other states ---Colorado, Connecticut, Montana, and hopefully more soon --- also have provisions in their new privacy laws for privacy preference signals like GPC. You can check if a site respects GPC [2]. For example, lego.com and nfl.com are two bigger ones I recently came across.<p>Disclosure: I am a privacy researcher and co-founder of GPC.<p>[1] <a href="https://globalprivacycontrol.org/" rel="nofollow">https://globalprivacycontrol.org/</a>
[2] <a href="https://gpcsup.com/" rel="nofollow">https://gpcsup.com/</a>
We use zero cookies on our website, so we have no consent banner. But people got so used to seeing "cookie consent banners", that we are considering introducing a "no cookies here" banner.
94% of people want me to be president. Caveat: I did not define what it means for them to want me to be president.<p>In other words, what does it mean to be "tracked"? How was the question worded? You can change this value from 1% all the way up to 99% depending on how you ask the question, because "being tracked" is open to interpretation.<p>Truly a useless poll.
I don't understand why we still don't have a standard for a built-in tracking preferences system in browsers. We have that for the microphone, webcam, and location access... why do we let websites control tracking preferences with their own design they can make as obscure and manipulative as they wish?
Cause the prob being solved by search rankings, newsfeeds, maps etc is info overload. People forget that all the time.<p>There is too much info out there. Context about the user shrinks the ever growing info sphere.
This is a misleading statistic. Most people will not care if I implemented a view counter on my website that uses a cookie to prevent the same user as counting as multiple views.
I have a notion to test cookie banners, to check whether it makes any difference whether you [Accept] or [Reject]. I strongly suspect that for many sites, it doesn't.<p>Many sites seem to be offering a choice of [Accept] or [Settings]. I've never clicked on [Settings]; it might as well lead to a goatse, as far as I care. I don't want to choose options on a cookie banner at all, so why would I opt to see a complete separate page of options?
the consent charade is a constant reminder that the modern digital economy is based on large scale deceit and is therefore fundamentally unstable.<p>yet nothing is done about it, as if it is not important, as if digital tech is not the main, if not only, "driver of future economic growth".<p>you cannot build a stable economy (well at least not of a democratic, free market kind) relying on complete ignorance and regulatory capture.<p>anybody who has leverage on the matter and is not doing something about it is complicit in a gigantic, generational level misallocation of resources that will eventually have to be written of.
They exist because they’re required to through applicable laws. The companies want tracking for additional business data and very rarely actually are about the users.
Does someone know why it is legal that in some countries websites are allowed to offer layers that offer a paid version and a tracking enabled version (very popular among newspapers)?<p>As far as I understand the GDPR, there should be no downside to rejecting the tracking technologies. And Websites relying on advertising, could do so with unpersonalized ads (granted with very different metrics).<p>Nevertheless, to me it feels, like these paid vs tracked offers are not what the authors of the GDPR intended.
Related: 99.999% of users don't read T&C's, so why do consent checkboxes exist?<p>(I made the number up, but I'd be very surprised if I am off by magnitudes).
Why did nobody tell the GDPR folks to require websites and browsers use one standard interface for the permission updates? It could have been so simple. Just let the browser prompt me so I can tell the browser once and for all what I want. Instead it created a website UX virus.
I don't know how the experience is in US, but in EU it's because GDPR is a complete failure of a law which doesn't actually solve any problem.
It still feels like these dialogues are really only something lawyers could think is a good solution to companies employing invasive/overbearing uses of customer data.<p>My gut feel is that most users don't understand what "tracking" really means and simply want to enjoy digital experiences without having to engage with the "what & how" that comes with modern platforms. My partner (and I reckon many other "normal" people) loves the ads on Instagram and enjoys the personalisation on YouTube & Netflix.<p>The current solution of "be transparent and it's okay" just forces decisions onto consumers that they do not want. The "good" solution outlined in this article (accept/reject) is a big yes or a big no – a green light for everything vs a red light for nothing.<p>There needs to be further regulation in this space that defines legal vs illegal uses of user data beyond the principals laid out in GDPR. The regulation should aim to define the "what & how", relieving the burden of choice from users and removing this "consent and it's okay" loophole for invasive use of data.