from Hacker News

New browser signal could make cookie banners obsolete

by chdlr on 6/16/21, 8:03 AM with 261 comments

  • by pornel on 6/16/21, 9:48 AM

    Reminder that we've already had a spec for it. In the 90s! And it even has been implemented in the Internet Explorer: https://www.w3.org/P3P/ It did absolutely nothing for privacy. Google has been sending bogus P3P headers that broke IE's implementation and allowed all cookies.

    Adtech companies don't want users to have an easy opt-out. They didn't want P3P. They didn't want DNT. They will not want this new spec, unless the spec is so bad that most users will agree by accident.

    The annoying and confusing cookie banners are a feature. Besides making people agree through confusion or attrition, the banners are malicious compliance. Adtech companies putting them up want you to be pissed off at the banners. They want you to associate them with privacy, and conclude that privacy laws are pointless and should be repealed.

  • by hnarn on 6/16/21, 10:12 AM

    The most frustrating thing about these cookie banners (more like cookie lightboxes) is that almost none of them are compliant with the rules. Unfortunately I don't have time to find the source right now, but I'm pretty sure I've read official EU guidance docs clearly stating that many "dark patterns" are simply illegal. For example making the "Accept all cookies" button require less effort than only accepting necessary cookies, which almost every page does.

    I feel like the current state of cookie consent is completely broken, partly due to the complete lack of enforcement, and having a browser-specific setting that propagates to all pages would be great -- but again you have to think about incentives. If pages are not required to accept these settings, their incentive is to ignore them and to claim that since it's unfortunately not supported "yet" (read "ever"), you still have to wade through the cookie form.

  • by juloo on 6/16/21, 9:51 AM

    Why do they still think we want tracking cookies ? The ad industry should prepare for a future with no tracking instead of trying to survive with ever shadier tricks, IMO.

    This won't work:

    - browsers other than Chrome will say "no tracking" by default, tracking companies won't like that

    - websites will ignore this, this will be known and people will be upset even more

    - more javascript when we want less

  • by deepstack on 6/16/21, 9:53 AM

    Instead of blocking cookies, work on more stuff that will block finger printing such as stuff that is mentioned in https://www.nothingprivate.ml

    One spec could be split up the JS api into stuff that manipulate the dom and stuff that access GPU and other hardwares that may identify the browser or machine. Safari seems to be the only one that is doing anything in that area.

  • by gmueckl on 6/16/21, 9:39 AM

    I don't see how this will be adopted without backing by legal threats. Even if this gets implemented on a voluntary basis, you need a fallback for browsers that don't support it. And if you need to have a version of the prompt with a user experience that isn't controlled by the browser, you might just as well use it to keep pushing the same dark patterns to everyone. Am I missing something?

  • by qwerty456127 on 6/16/21, 9:57 AM

    > The mechanism serves as an automated means for users to give or refuse consent

    There already is the do-not-track flag, why not just force everybody to respect it?

  • by mgkimsal on 6/16/21, 12:18 PM

    in the 90s, we had a 'big cookie' scare. and laws were threatened (or passed?). And... MUCH of this came down to ... managing cookies (or other browser state) was (and is) largely so damn hidden behind layers of configs, menus and options.

    We have a home button. We have forward and back. We have 'bookmark' buttons, which many people understand. A big 'COOKIE' button, on the main browser UI, that clearly show cookie info, with a big "GET RID OF ALL COOKIES" trashcan button right there.... that would have prevented 90+% of the scare and legislation efforts from the start.

    I looked for "clear my cookies" - in 2021, it's still click '3 dots' or something else, then click something, then click something, then confirm. https://its.uiowa.edu/support/article/719

    "But there's so much nuance - I want to keep some, and not others, etc".

    We didn't have this many choices in 1998. My point is giving a big honking "get rid of it all" back then would have changed the trajectory of the entire discussion. It still might.

    I've lived through 2 decades of having to deal with support people trying to help users "clear your cache" or "reset your cookies". "Private mode" does help to a degree, assuming you're dealing with somewhat tech-savvy folks.

  • by sandstrom on 6/16/21, 10:01 AM

    The thing with ideas like this is that it'll all boil down to one thing: opt-in or opt-out.

    If it's opt-in, hidden inside browsers settings, effectively no-one will use it (e.g. current cookie blocking settings).

    If it's opt-out everyone will use it (see e.g. Apple's recent "This app is asking to track you across the internet, do you want to allow it?".

    Question is, why make it complicated with a spec like this. Better to just agree to block all cookies, or to allow cookies.

  • by durnygbur on 6/16/21, 10:53 AM

    Tinder, Google, Amazon, Twitter, Facebook and other plaftorms can reliably ban an account without knowing the name, surname, birthdate. Just from the broad fingerprint of the device, email, phone number, Wifi SSIDs, location, and other data they collect. Yet they are showing the cookie and "privacy" splashscreens and popups on every visit. Every. Freaking. Time. Google with Youtube in particular. Isn't it malicious compliance?

  • by butz on 6/16/21, 11:57 AM

    A bit too late, but still great for users and for developers. Not so much for cookie banner services, but that's their own fault for providing cookie banners that cover half or more of screen, have confusing selections or none at all and uses dark patterns to push visitor to "Accept All" cookies. And browsers should ask user for default preference only once, to prevent bothering with useless notifications from each website.

  • by zeepzeep on 6/16/21, 11:40 AM

    I use uBlock Origin with "Easy List Cookies" which blocks most cookie banners

  • by vincentmarle on 6/16/21, 10:23 AM

    All this does is move the cookie banner from the website to the browser which still means I have to click approve every time I visit a new website. What I really would like to do is to get rid of these annoying cookie banners entirely and have something auto opt-in for me so I can get back to a decent web browsing experience a la pre-2017…

  • by timvisee on 6/16/21, 12:12 PM

    Data collection is the problem. It is insane to me that we're now resorting to these kinds of 'solutions'.

  • by maxwellito on 6/16/21, 10:17 AM

    Do you remember 'doNotTrack' ?

  • by slownews45 on 6/16/21, 6:08 PM

    I just want ONE option - ACCEPT ALL COOKIES.

    Seriuosly, I reserve the right to expire, delete, manage and otherwise deal with cookies on my device myself.

    Can anyone create a different standard with ONE flag - ACCEPT ALL COOKIES - SHOW NO BANNERS*

    *User reserves right to delete, purge, modify, expire etc cookies on their device.

    That's what I want.

  • by hibernator149 on 6/16/21, 10:14 AM

    I wonder if this fight over cookies is just a diversion. If we ever get an effective law or tech for cookies, won't the advertisers just shrug and switch to browser fingerprinting? I feel like the only solution is to educate users about AdBlockers and stuff like NoScript.

  • by axismundi on 6/17/21, 7:12 PM

    Use /etc/hosts based blocking, e.g. https://github.com/StevenBlack/hosts

    This way you become mostly invisible to the ad and malware industry, no matter which browser you use.

    Have JavaScript toggle next to address bar and keep JavaScript off by default. Most cookie banners will disappear.

    Use Reader mode for daily news browsing. Most things will disappear except for main content. And it makes Internet less addictive.

    The difference between swimming and drowning is subtle - flailing your limbs frantically vs relaxed movement. To many complex solutions will make us drown.

    Consider swimming instead :)

  • by qwertox on 6/16/21, 3:10 PM

    I would rather have a cookie-based approach where the opt-in dialog is clearly laid out via regulation.

    At the top of the dialog a "decline"-button and to the right of it an "accept"-button. These buttons toggle all the toggles of the providers listed below those two buttons. You can then manually override each of the listed providers, which may be also grouped by purpose in order to ease selection. No nested dialogs are allowed.

    Upon declination, one single cookie must get set, with a specific name, ie 'consent-acknowledge-status', with an expiry date of at least one week, where the consent selection is stored, so that it can be respected in future visits.

  • by sam345 on 6/16/21, 11:15 AM

    Regulations tend to become pretty stale pretty fast while tech moves on . Maybe users just need to pushback by picking browsers that respect privacy. We would do better by funding better privacy tech and educating consumers then chasing regulations that almost never get it right, bog down the user experience, and generally become a hassle to everyone involved.

  • by gorgoiler on 6/16/21, 5:18 PM

    This week I told iOS safari to block all cookies.

    It’s really not that awful. In fact, it’s kind of fantastic. I use a second browser (Google Chrome) for “signed-in stuff”.

    Try it.

    (Although the fact that I just posted this from safari reminds me I’m not 100% up to speed on which-browser-for-what-activity discipline.)

  • by _boffin_ on 6/16/21, 5:23 PM

    Been thinking of making a chrome/firefox extension that will detect those cookie notifications and automatically nope out of them all for you and submit, but been too lazy to implement.

  • by kissgyorgy on 6/16/21, 2:27 PM

    I understand that standards like these take years to make, but this should have been in the browsers for a loooong time at this point instead of every website implementing them differently.

  • by peterhil on 6/16/21, 1:10 PM

    Finally!

    Why on earth this was not implemented in the first place on web browsers?

  • by pacman2 on 6/16/21, 6:43 PM

    I use the I don't care about cookies Plug-in. My browser forgets all the cookies when closed. Besides several privacy plug-ins, I the the temporary container plug-in.

    Problem solved.

  • by dariosalvi78 on 6/16/21, 10:01 AM

    now that's something sensible!

  • by Aeolun on 6/16/21, 12:46 PM

    I read a lot of negative things here, but I like this spec.

    We (as a profession) shpuld try to eliminate cookie banners, while still allowing users to opt out.

  • by mrfusion on 6/16/21, 11:15 AM

    Now they need one for all the newsletter sign up boxes.

  • by thepangolino on 6/16/21, 9:39 AM

    Don’t browsers already have a feature to block cookies?

  • by technicalya on 6/16/21, 2:50 PM

    No a comment its a question. Do you use ad-blockers?

  • by rosmax_1337 on 6/16/21, 11:13 AM

    I've done some basic reading on GDPR but can't honestly say I have it completely figured out. Can someone help me out with a use case that I come across frequently? Selling tracking data to third parties is the kind of thing noone wants to actually opt in to, and what I imagine GDPR partially tries to combat. (among other things)

    What about site statistics keeping? If say a newspaper collects statistics about visitors to their articles, and does browser/user tracking by implementing cookies, for __internal__ use, rather than selling data to third parties. Is a cookie banner still neccesary for that kind of consent?

    Personally, I don't care if my IP appears on any website log that I have visited, or if a unique cookie ID becomes present on the site until I clear my cookies. If i cared about my IP being tracked, or cookie IDs like that, I would browse using a VPN and "Private mode" in browser. What I do care about is the complex browser fingerprinting that keeps track of (essentially) my entire browser history, externally, with everything from my google searches, youtube videos, online purchases and website visits being visible in some kind of giant aggregate form.

    Basically compare it to being videotaped when entering a store. Yeah sure, I might be a bit irked by the camera but I don't care too much. Comparing that to putting a camera on every street corner, and using facial recognition to generate a day by day pattern of all my visits to all stores the last 30 years, and I'm not a happy camper any more.

    I would even go as far as cookie banners for the above tracking scenario, where you are tracked completely, should be illegal. That kind of "consent" can't even be gained by just clicking a <button> on a website, it would require a valid ID and signature at least.

    And on the other hand, the "internal store videocamera" taping customers as they enter, perhaps even applying face recognition software to count unique visitors per year to the store, is hardly worth the hassle of a clicking a cookie banner personally. I'm certainly not averse to a position of not wanting to be tracked when entering a store or a webpage though, and if someone has a personal need to not be tracked like that, they should be able to apply basic non consent based tools to avoid being tracked. Like wearing sunglasses and a cap when entering the store, or browsing using a VPN.

  • by mrweasel on 6/16/21, 9:54 AM

    Cookies are used for things other than tracking, so maybe not obsolete, just irrelevant for tracking usage.

    I didn’t read the entire spec, maybe there’s stuff that replaced cookies in there.