You can opt out any time you like. But you can never leave.
April 8, 2024 12:50 PM Subscribe
The USENIX Association have published a Report (pdf) Analysing Cookie Notice Compliance.
We show that 56.7% of cookie notices do not include an option to opt out of consent, that more than 65.4% of websites with an opt-out option collect users’ data despite explicit negative consent, and that 73.4% of websites do so even when users do not interact with the cookie notice.
Cookie notices are literally the dumbest thing ever implemented.
Who sees all the cookie notices? Those people who have cookies disabled, blocked, or who regularly clear them, the very people who would need to be the least concerned about cookie-based tracking. On the contrary, those who accept all cookies willy-nilly, without a second thought about privacy, get a cookie set in their browser that exempts them from the endless repetition of these god-awful cookie notices.
A truly perverse incentive.
posted by I EAT TAPAS at 12:57 PM on April 8 [6 favorites]
Who sees all the cookie notices? Those people who have cookies disabled, blocked, or who regularly clear them, the very people who would need to be the least concerned about cookie-based tracking. On the contrary, those who accept all cookies willy-nilly, without a second thought about privacy, get a cookie set in their browser that exempts them from the endless repetition of these god-awful cookie notices.
A truly perverse incentive.
posted by I EAT TAPAS at 12:57 PM on April 8 [6 favorites]
humbug, the problem seems to be that privacy-hating businesses have managed, by intentionally making the privacy-respecting option as intrusive and painful as possible, to brand increased privacy as a bad thing—so that many casual users would rather that their privacy rights go away than that those same rights be more strictly enforced. (On preview, rather what I EAT TAPAS said, but perhaps with a more sinister cast of mind towards the corporate actors.)
posted by It is regrettable that at 12:58 PM on April 8 [3 favorites]
posted by It is regrettable that at 12:58 PM on April 8 [3 favorites]
For a while now I have been following the routine of using I still don’t care about cookies combined with the Firefox setting [x] Delete Cookies and Site data when Firefox is closed.
Then you get no prompts and can clear out all the cookies by just closing the browser regularly.
posted by Lanark at 1:07 PM on April 8 [1 favorite]
Then you get no prompts and can clear out all the cookies by just closing the browser regularly.
posted by Lanark at 1:07 PM on April 8 [1 favorite]
A truly perverse incentive.
I think a significant amount of EU lobbying on behalf of the advertising industry is the reason we are in this mess. It is working exactly as intended, just not for our benefit.
posted by Lanark at 1:10 PM on April 8 [1 favorite]
I think a significant amount of EU lobbying on behalf of the advertising industry is the reason we are in this mess. It is working exactly as intended, just not for our benefit.
posted by Lanark at 1:10 PM on April 8 [1 favorite]
I'm the person who ALWAYS tries to find the option to decline the insidious "legitimate interest" cookies. But even where that option exists, and I click ALL of the sliders while muttering through my teeth what they can go and do, there are still the ones you can't opt out of. "Link different devices". "Match and combine offline data sources". I want to be able to refuse those! I hate the sites that railroad you to "Accept" with no other option (what the study calls "forced action").
I'm running Firefox with uBlock and have private browsing on my phone, but then it becomes a pain to re-log into all the sites it logs me out of when it clears the cookies. Still haven't found the ideal solution for this.
posted by Pallas Athena at 1:13 PM on April 8 [1 favorite]
I'm running Firefox with uBlock and have private browsing on my phone, but then it becomes a pain to re-log into all the sites it logs me out of when it clears the cookies. Still haven't found the ideal solution for this.
posted by Pallas Athena at 1:13 PM on April 8 [1 favorite]
The branding of "cookies" as some kind of big scary boogieman generally — a thing that goes back several years when laypeople heard about and misunderstood them — and then the rampant actual ridiculous abuses of them by commercial surveillance entities led us to this point. Regulators love these notice requirements because it makes them feel like something's being done, but everyone else hates them: users, site implementors, commercial surveillance dudes.
Oh, wait, there's one more entity that loves them: the companies that sell "cookie notice / management" type solutions to site implementors. Those guys love all that delicious, instrumented, "anonymized" cookie banner traffic they can sell analytics about.
The thing is, users do need better ways to control their privacy when accessing stuff, and better ways to keep commercial surveillance cookies from sticking to their sessions. Those tools belong in the user-agent, though, and the sensible default should be to just discard them outright. Just like the sensible default should be to deny traffic to, well, a whole bunch of endpoints that aren't doing anything but serving ads and collecting analytics.
Every user-agent should just ship with OISD Large as a default denylist. That would have been a preferable regulation over requiring 'cookie notices' and all the other stuff that GDPR ostensibly choked down site operators' throats.
posted by majick at 1:16 PM on April 8 [1 favorite]
Oh, wait, there's one more entity that loves them: the companies that sell "cookie notice / management" type solutions to site implementors. Those guys love all that delicious, instrumented, "anonymized" cookie banner traffic they can sell analytics about.
The thing is, users do need better ways to control their privacy when accessing stuff, and better ways to keep commercial surveillance cookies from sticking to their sessions. Those tools belong in the user-agent, though, and the sensible default should be to just discard them outright. Just like the sensible default should be to deny traffic to, well, a whole bunch of endpoints that aren't doing anything but serving ads and collecting analytics.
Every user-agent should just ship with OISD Large as a default denylist. That would have been a preferable regulation over requiring 'cookie notices' and all the other stuff that GDPR ostensibly choked down site operators' throats.
posted by majick at 1:16 PM on April 8 [1 favorite]
On the contrary, those who accept all cookies willy-nilly, without a second thought about privacy, get a cookie set in their browser that exempts them from the endless repetition of these god-awful cookie notices.
This is the opposite of truth.
I don't run any blockers, and there are websites I visit regularly which ask me for cookie approval EVERY TIME I VISIT.
These websites aren't putting a cookie on your computer saying "this computer accepted cookies and so all cookies are good from now until forever". I mean maybe they ARE doing this, but they are still asking EVERY TIME YOU VISIT.
If you know of a way for me to tell one of these websites that I'm okay with their cookies and I don't want to click "Accept" again, I would LOVE to know about it.
posted by hippybear at 1:43 PM on April 8 [1 favorite]
This is the opposite of truth.
I don't run any blockers, and there are websites I visit regularly which ask me for cookie approval EVERY TIME I VISIT.
These websites aren't putting a cookie on your computer saying "this computer accepted cookies and so all cookies are good from now until forever". I mean maybe they ARE doing this, but they are still asking EVERY TIME YOU VISIT.
If you know of a way for me to tell one of these websites that I'm okay with their cookies and I don't want to click "Accept" again, I would LOVE to know about it.
posted by hippybear at 1:43 PM on April 8 [1 favorite]
I finally installed Consent-o-Matic in Chrome, it tries to fill in the forms on a bunch of sites. It sort of works but is not perfect.
What would be better is if the websites respected the Do Not Track header which was standardized back in 2007. But the surveillance capitalism industry refused to honor our explicitly expressed preference. So now it's a long slow battle with websites performing malicious compliance to make us all mad about what should be a very simple privacy request.
While cookies suck, they're at least open. The new forms of surveillance built in to Google Chrome and various mobile browsers like Facebook are much harder to understand. And closed to competitors, cementing their monopoly position.
It used to be installing an ad blocker was a convenience. Now it's a necessary security measure. I'm about 80% of the way to deciding to install one of those "make it look like you clicked on all the ads" to actively pollute the surveillance data and weaken the businesses. The online ad industry declared war on us, any countermeasure is morally justified.
posted by Nelson at 1:48 PM on April 8 [3 favorites]
What would be better is if the websites respected the Do Not Track header which was standardized back in 2007. But the surveillance capitalism industry refused to honor our explicitly expressed preference. So now it's a long slow battle with websites performing malicious compliance to make us all mad about what should be a very simple privacy request.
While cookies suck, they're at least open. The new forms of surveillance built in to Google Chrome and various mobile browsers like Facebook are much harder to understand. And closed to competitors, cementing their monopoly position.
It used to be installing an ad blocker was a convenience. Now it's a necessary security measure. I'm about 80% of the way to deciding to install one of those "make it look like you clicked on all the ads" to actively pollute the surveillance data and weaken the businesses. The online ad industry declared war on us, any countermeasure is morally justified.
posted by Nelson at 1:48 PM on April 8 [3 favorites]
okay so to pull back a little to
it is too late of course to retvrn to gopher or implement admiral adama’s wise dictate re:
networking the computers or whatever but it is still worth noting that, holy shit, we’re all running all sorts of applications all the time on a network that’s not just untrusted but in fact entirely untrustworthy.
posted by bombastic lowercase pronouncements at 1:59 PM on April 8 [1 favorite]
- why we got cookies in the first place
- why the Internet is crawling with spies spying on you no matter how hard you try to keep them from doing that
it is too late of course to retvrn to gopher or implement admiral adama’s wise dictate re:
networking the computers or whatever but it is still worth noting that, holy shit, we’re all running all sorts of applications all the time on a network that’s not just untrusted but in fact entirely untrustworthy.
posted by bombastic lowercase pronouncements at 1:59 PM on April 8 [1 favorite]
Cookies are documents, not application code.
posted by Nelson at 2:03 PM on April 8 [1 favorite]
posted by Nelson at 2:03 PM on April 8 [1 favorite]
cookies are documents used by applications.
posted by bombastic lowercase pronouncements at 2:04 PM on April 8 [1 favorite]
posted by bombastic lowercase pronouncements at 2:04 PM on April 8 [1 favorite]
Huh. I thought cookies were created so you could put things in a virtual shopping cart. They were developed specifically so partial transactions would be stored on the local browser rather than on the server end.
posted by hippybear at 2:05 PM on April 8
posted by hippybear at 2:05 PM on April 8
The applications that use cookies are mostly running on the server. Client side Javascript is really not the problem in this particular mess. Javascript may cause other problems and potential privacy invasions, sure, but not this cookie consent fraud.
posted by Nelson at 2:06 PM on April 8 [1 favorite]
posted by Nelson at 2:06 PM on April 8 [1 favorite]
like cookies only make sense as a technology for web content that is an application.
posted by bombastic lowercase pronouncements at 2:06 PM on April 8
posted by bombastic lowercase pronouncements at 2:06 PM on April 8
There are so many 'data brokers' (and hackers, no doubt) selling my personal information that I didn't give them, they shouldn't have and that I have never consented to said sales, that the cookies consent thing is just an annoying reminder of all this for me. I'm not saying the issue shouldn't be addressed/fixed, but at this point it feels a bit like asking if I would like to run back in and pull the fire alarm of a building that is already completely engulfed in flames.
posted by BigHeartedGuy at 2:08 PM on April 8
posted by BigHeartedGuy at 2:08 PM on April 8
and saying that “client-side javascript is not the problem” is kind of askew, given that as i understand it the only way to have half a chance at not giving up enough information about you and your device to individuate you is by running a stock low-end android device (or whatever else is most common in wherever sites decide you are via geolocation, but as a rule stock low-end android is going to be what you want).
and like okay the i guess the point isn’t just that client-side scripting is a nightmare, it’s that server-side scripts with knowledge about your machine are themselves nightmares.
I am provisionally willing to give css a temporary pass until after we’ve blown up at least half the Internet, but css fingerprinting techniques are likewise pretty effective.
posted by bombastic lowercase pronouncements at 2:13 PM on April 8
and like okay the i guess the point isn’t just that client-side scripting is a nightmare, it’s that server-side scripts with knowledge about your machine are themselves nightmares.
I am provisionally willing to give css a temporary pass until after we’ve blown up at least half the Internet, but css fingerprinting techniques are likewise pretty effective.
posted by bombastic lowercase pronouncements at 2:13 PM on April 8
There is an argument that online tracking is a problem that could be addressed but isn't because everyone in Congress is too old to even begin to understand the problems...
But really, CSS isn't the problem in the thing you're describing. Malicious computer profiling by various companies is the problem. CSS actually makes the web work. [I actually liked Web 1.0, but I'm in the minority.] But saying "we need to stop running CSS on our machines because people with the intent of tracking us without our intent use the CSS running on our machines to fingerprint us outside of normal identification permission structures" is ridiculous.
The actual thing to say is "we need to outlaw CSS fingerprinting of people online without their consent".
posted by hippybear at 2:17 PM on April 8 [1 favorite]
But really, CSS isn't the problem in the thing you're describing. Malicious computer profiling by various companies is the problem. CSS actually makes the web work. [I actually liked Web 1.0, but I'm in the minority.] But saying "we need to stop running CSS on our machines because people with the intent of tracking us without our intent use the CSS running on our machines to fingerprint us outside of normal identification permission structures" is ridiculous.
The actual thing to say is "we need to outlaw CSS fingerprinting of people online without their consent".
posted by hippybear at 2:17 PM on April 8 [1 favorite]
The only websites I get an actual "reject all cookies" option on, right up front next to "accept cookies" and, sometimes, "set cookie preferences", are European sites or versions of global sites localized to a specific European country. If you're not from such a country, did you know that Google, Amazon, and so on are perfectly capable of allowing you to decline their cookie offer completely? (Although what they do behind the scenes, I don't know.)
holy shit, we’re all running all sorts of applications all the time on a network that’s not just untrusted but in fact entirely untrustworthy
Where possible* I avoid on principle sites that require javascript to do specific things that other sites manage to pull off just fine without, or that don't provide any kind of stripped-down non-JS version. (*it's all too often not possible. I wish using minimal javascript were considered an important best practice/sign of trustworthiness rather than some ridiculous thing only old-fashioned devs would do.) And when sites that used to not require JS suddenly start to require it I develop deep, lasting grudges against them (imgur, for example, used to happily display the linked image with no issues, until it decided to display a blank page unless JS is enabled. Bluesky, despite its other issues, has my respect so far on this particular one for displaying the text of a linked post - albeit in the most basic, ugly format possible - even with JS disallowed.)
posted by trig at 2:24 PM on April 8 [3 favorites]
holy shit, we’re all running all sorts of applications all the time on a network that’s not just untrusted but in fact entirely untrustworthy
Where possible* I avoid on principle sites that require javascript to do specific things that other sites manage to pull off just fine without, or that don't provide any kind of stripped-down non-JS version. (*it's all too often not possible. I wish using minimal javascript were considered an important best practice/sign of trustworthiness rather than some ridiculous thing only old-fashioned devs would do.) And when sites that used to not require JS suddenly start to require it I develop deep, lasting grudges against them (imgur, for example, used to happily display the linked image with no issues, until it decided to display a blank page unless JS is enabled. Bluesky, despite its other issues, has my respect so far on this particular one for displaying the text of a linked post - albeit in the most basic, ugly format possible - even with JS disallowed.)
posted by trig at 2:24 PM on April 8 [3 favorites]
> The actual thing to say is "we need to outlaw CSS fingerprinting of people online without their consent".
so to steal a line of argumentation from some jerk oh shit i can’t find the comment maybe it was mathowie instead, say you have constructed a device for fetching acorns that consists of a large metal tube and some explosive powder and a heavy metal ball that comes out of the tube super fast when the powder is exposed to flame. this is a pretty neat device and if you practice I bet you could get some acorns out of a tree with it — but it’s not an acorn fetcher, it’s a gun.
basically technologies offer certain affordances and although law is occasionally used to suppress use of acorn fetchers as guns, in practice the only reliable way to stop people from using a device for what it does instead of for what you want it to do is to not provide those affordances in the first place — even if it means you therefore don’t get to build any neat acorn fetchers.
am i saying that the entire modern web is bad? yes, i am saying that. am i saying it is unfixably bad? yes, i am also saying that.
(one of the many many things that drive me up the wall about computer science departments is that they’ll often stand up perfunctory ethics-in-computing classes that tell students that technologies are morally neutral / demand students repeat that claim? which is, to be blunt, complete gibberish nonsense from sillytown as claims go, as they would know if they bothered to listen to anyone from any of the departments that actually care about ethics in technology.)
posted by bombastic lowercase pronouncements at 2:53 PM on April 8
so to steal a line of argumentation from some jerk oh shit i can’t find the comment maybe it was mathowie instead, say you have constructed a device for fetching acorns that consists of a large metal tube and some explosive powder and a heavy metal ball that comes out of the tube super fast when the powder is exposed to flame. this is a pretty neat device and if you practice I bet you could get some acorns out of a tree with it — but it’s not an acorn fetcher, it’s a gun.
basically technologies offer certain affordances and although law is occasionally used to suppress use of acorn fetchers as guns, in practice the only reliable way to stop people from using a device for what it does instead of for what you want it to do is to not provide those affordances in the first place — even if it means you therefore don’t get to build any neat acorn fetchers.
am i saying that the entire modern web is bad? yes, i am saying that. am i saying it is unfixably bad? yes, i am also saying that.
(one of the many many things that drive me up the wall about computer science departments is that they’ll often stand up perfunctory ethics-in-computing classes that tell students that technologies are morally neutral / demand students repeat that claim? which is, to be blunt, complete gibberish nonsense from sillytown as claims go, as they would know if they bothered to listen to anyone from any of the departments that actually care about ethics in technology.)
posted by bombastic lowercase pronouncements at 2:53 PM on April 8
Very tiny quibble with the post’s phrasing: this is an article published at a security conference that happens to be run by USENIX, not a capital-R “Report” from the USENIX association.
It’s a minor distinction, but it’s helpful to give credit to the actual researchers at ETH Zurich. USENIX is a fine association (of which I’m a member!) but AFAIK they are not themselves doing cookie research.
posted by learning from frequent failure at 3:00 PM on April 8 [3 favorites]
It’s a minor distinction, but it’s helpful to give credit to the actual researchers at ETH Zurich. USENIX is a fine association (of which I’m a member!) but AFAIK they are not themselves doing cookie research.
posted by learning from frequent failure at 3:00 PM on April 8 [3 favorites]
and like wrt banning fingerprinting by law, lol it’s often possible to passively — and therefore completely undetectably — fingerprint you via html headers.
the web provides nasty affordances that can be trivially used for reliable stalking of a type that law can’t see. and like it’s super useful for other things too, but stalking is the most lucrative thing you can use it for. it’s not an acorn fetcher, it’s at best a gun with acorn fetcherlike characteristics.
posted by bombastic lowercase pronouncements at 3:05 PM on April 8
the web provides nasty affordances that can be trivially used for reliable stalking of a type that law can’t see. and like it’s super useful for other things too, but stalking is the most lucrative thing you can use it for. it’s not an acorn fetcher, it’s at best a gun with acorn fetcherlike characteristics.
posted by bombastic lowercase pronouncements at 3:05 PM on April 8
I have a pi-hole and Privacy Badger and tracking protection turned on in Firefox and a separate Facebook container... and I still get clearly targeted ads at home. It's probably just our IP number from our home connection and browser user agent that's enough to make that work. Short of moving to Tails, I think I'm out of options.
posted by i_am_joe's_spleen at 3:14 PM on April 8
posted by i_am_joe's_spleen at 3:14 PM on April 8
« Older Olivia Newton-John Television Special 1978 | A very particular and ugly recent history Newer »
posted by humbug at 12:54 PM on April 8 [1 favorite]