As someone who posted a postprint of an accepted "privacy? y'all heard of it? because you sure ain't acting like it" article online today (journal is OK with it)... gosh I hope this leads to better enforcement which leads to better compliance.
posted by humbug at 12:54 PM on April 8 [3 favorites]

Cookie notices are literally the dumbest thing ever implemented.

Who sees all the cookie notices? Those people who have cookies disabled, blocked, or who regularly clear them, the very people who would need to be the least concerned about cookie-based tracking. On the contrary, those who accept all cookies willy-nilly, without a second thought about privacy, get a cookie set in their browser that exempts them from the endless repetition of these god-awful cookie notices.

A truly perverse incentive.
posted by I EAT TAPAS at 12:57 PM on April 8 [9 favorites]

humbug, the problem seems to be that privacy-hating businesses have managed, by intentionally making the privacy-respecting option as intrusive and painful as possible, to brand increased privacy as a bad thing—so that many casual users would rather that their privacy rights go away than that those same rights be more strictly enforced. (On preview, rather what I EAT TAPAS said, but perhaps with a more sinister cast of mind towards the corporate actors.)
posted by It is regrettable that at 12:58 PM on April 8 [6 favorites]

For a while now I have been following the routine of using I still don’t care about cookies combined with the Firefox setting [x] Delete Cookies and Site data when Firefox is closed.
Then you get no prompts and can clear out all the cookies by just closing the browser regularly.
posted by Lanark at 1:07 PM on April 8 [3 favorites]

A truly perverse incentive.

I think a significant amount of EU lobbying on behalf of the advertising industry is the reason we are in this mess. It is working exactly as intended, just not for our benefit.
posted by Lanark at 1:10 PM on April 8 [4 favorites]

I'm the person who ALWAYS tries to find the option to decline the insidious "legitimate interest" cookies. But even where that option exists, and I click ALL of the sliders while muttering through my teeth what they can go and do, there are still the ones you can't opt out of. "Link different devices". "Match and combine offline data sources". I want to be able to refuse those! I hate the sites that railroad you to "Accept" with no other option (what the study calls "forced action").

I'm running Firefox with uBlock and have private browsing on my phone, but then it becomes a pain to re-log into all the sites it logs me out of when it clears the cookies. Still haven't found the ideal solution for this.
posted by Pallas Athena at 1:13 PM on April 8 [5 favorites]

The branding of "cookies" as some kind of big scary boogieman generally — a thing that goes back several years when laypeople heard about and misunderstood them — and then the rampant actual ridiculous abuses of them by commercial surveillance entities led us to this point. Regulators love these notice requirements because it makes them feel like something's being done, but everyone else hates them: users, site implementors, commercial surveillance dudes.

Oh, wait, there's one more entity that loves them: the companies that sell "cookie notice / management" type solutions to site implementors. Those guys love all that delicious, instrumented, "anonymized" cookie banner traffic they can sell analytics about.

The thing is, users do need better ways to control their privacy when accessing stuff, and better ways to keep commercial surveillance cookies from sticking to their sessions. Those tools belong in the user-agent, though, and the sensible default should be to just discard them outright. Just like the sensible default should be to deny traffic to, well, a whole bunch of endpoints that aren't doing anything but serving ads and collecting analytics.

Every user-agent should just ship with OISD Large as a default denylist. That would have been a preferable regulation over requiring 'cookie notices' and all the other stuff that GDPR ostensibly choked down site operators' throats.
posted by majick at 1:16 PM on April 8 [5 favorites]

On the contrary, those who accept all cookies willy-nilly, without a second thought about privacy, get a cookie set in their browser that exempts them from the endless repetition of these god-awful cookie notices.

This is the opposite of truth.

I don't run any blockers, and there are websites I visit regularly which ask me for cookie approval EVERY TIME I VISIT.

These websites aren't putting a cookie on your computer saying "this computer accepted cookies and so all cookies are good from now until forever". I mean maybe they ARE doing this, but they are still asking EVERY TIME YOU VISIT.

If you know of a way for me to tell one of these websites that I'm okay with their cookies and I don't want to click "Accept" again, I would LOVE to know about it.
posted by hippybear at 1:43 PM on April 8 [3 favorites]

I finally installed Consent-o-Matic in Chrome, it tries to fill in the forms on a bunch of sites. It sort of works but is not perfect.

What would be better is if the websites respected the Do Not Track header which was standardized back in 2007. But the surveillance capitalism industry refused to honor our explicitly expressed preference. So now it's a long slow battle with websites performing malicious compliance to make us all mad about what should be a very simple privacy request.

While cookies suck, they're at least open. The new forms of surveillance built in to Google Chrome and various mobile browsers like Facebook are much harder to understand. And closed to competitors, cementing their monopoly position.

It used to be installing an ad blocker was a convenience. Now it's a necessary security measure. I'm about 80% of the way to deciding to install one of those "make it look like you clicked on all the ads" to actively pollute the surveillance data and weaken the businesses. The online ad industry declared war on us, any countermeasure is morally justified.
posted by Nelson at 1:48 PM on April 8 [8 favorites]

okay so to pull back a little to

1. why we got cookies in the first place
2. why the Internet is crawling with spies spying on you no matter how hard you try to keep them from doing that

is at some point back in the day some misguided folks decided that web content could be applications rather than documents and then a little while later some folks (the same folks and others) decided that web content should be applications rather than documents and then eventually we reached the point where pretty much all web content consisted of applications rather than documents. if you don’t think so, try turning off javascript for a little while — but remember to turn it back on, because the surprisal of having javascript turned off is pretty much high enough to immediately individuate you all by itself.

it is too late of course to retvrn to gopher or implement admiral adama’s wise dictate re:
networking the computers or whatever but it is still worth noting that, holy shit, we’re all running all sorts of applications all the time on a network that’s not just untrusted but in fact entirely untrustworthy.
posted by bombastic lowercase pronouncements at 1:59 PM on April 8 [4 favorites]

Cookies are documents, not application code.
posted by Nelson at 2:03 PM on April 8 [1 favorite]

cookies are documents used by applications.
posted by bombastic lowercase pronouncements at 2:04 PM on April 8 [3 favorites]

Huh. I thought cookies were created so you could put things in a virtual shopping cart. They were developed specifically so partial transactions would be stored on the local browser rather than on the server end.
posted by hippybear at 2:05 PM on April 8

The applications that use cookies are mostly running on the server. Client side Javascript is really not the problem in this particular mess. Javascript may cause other problems and potential privacy invasions, sure, but not this cookie consent fraud.
posted by Nelson at 2:06 PM on April 8 [2 favorites]

like cookies only make sense as a technology for web content that is an application.
posted by bombastic lowercase pronouncements at 2:06 PM on April 8 [1 favorite]

There are so many 'data brokers' (and hackers, no doubt) selling my personal information that I didn't give them, they shouldn't have and that I have never consented to said sales, that the cookies consent thing is just an annoying reminder of all this for me. I'm not saying the issue shouldn't be addressed/fixed, but at this point it feels a bit like asking if I would like to run back in and pull the fire alarm of a building that is already completely engulfed in flames.
posted by BigHeartedGuy at 2:08 PM on April 8 [1 favorite]

and saying that “client-side javascript is not the problem” is kind of askew, given that as i understand it the only way to have half a chance at not giving up enough information about you and your device to individuate you is by running a stock low-end android device (or whatever else is most common in wherever sites decide you are via geolocation, but as a rule stock low-end android is going to be what you want).

and like okay the i guess the point isn’t just that client-side scripting is a nightmare, it’s that server-side scripts with knowledge about your machine are themselves nightmares.

I am provisionally willing to give css a temporary pass until after we’ve blown up at least half the Internet, but css fingerprinting techniques are likewise pretty effective.
posted by bombastic lowercase pronouncements at 2:13 PM on April 8

There is an argument that online tracking is a problem that could be addressed but isn't because everyone in Congress is too old to even begin to understand the problems...

But really, CSS isn't the problem in the thing you're describing. Malicious computer profiling by various companies is the problem. CSS actually makes the web work. [I actually liked Web 1.0, but I'm in the minority.] But saying "we need to stop running CSS on our machines because people with the intent of tracking us without our intent use the CSS running on our machines to fingerprint us outside of normal identification permission structures" is ridiculous.

The actual thing to say is "we need to outlaw CSS fingerprinting of people online without their consent".
posted by hippybear at 2:17 PM on April 8 [1 favorite]

The only websites I get an actual "reject all cookies" option on, right up front next to "accept cookies" and, sometimes, "set cookie preferences", are European sites or versions of global sites localized to a specific European country. If you're not from such a country, did you know that Google, Amazon, and so on are perfectly capable of allowing you to decline their cookie offer completely? (Although what they do behind the scenes, I don't know.)


holy shit, we’re all running all sorts of applications all the time on a network that’s not just untrusted but in fact entirely untrustworthy

Where possible* I avoid on principle sites that require javascript to do specific things that other sites manage to pull off just fine without, or that don't provide any kind of stripped-down non-JS version. (*it's all too often not possible. I wish using minimal javascript were considered an important best practice/sign of trustworthiness rather than some ridiculous thing only old-fashioned devs would do.) And when sites that used to not require JS suddenly start to require it I develop deep, lasting grudges against them (imgur, for example, used to happily display the linked image with no issues, until it decided to display a blank page unless JS is enabled. Bluesky, despite its other issues, has my respect so far on this particular one for displaying the text of a linked post - albeit in the most basic, ugly format possible - even with JS disallowed.)
posted by trig at 2:24 PM on April 8 [4 favorites]

> The actual thing to say is "we need to outlaw CSS fingerprinting of people online without their consent".

so to steal a line of argumentation from some jerk oh shit i can’t find the comment maybe it was mathowie instead, say you have constructed a device for fetching acorns that consists of a large metal tube and some explosive powder and a heavy metal ball that comes out of the tube super fast when the powder is exposed to flame. this is a pretty neat device and if you practice I bet you could get some acorns out of a tree with it — but it’s not an acorn fetcher, it’s a gun.

basically technologies offer certain affordances and although law is occasionally used to suppress use of acorn fetchers as guns, in practice the only reliable way to stop people from using a device for what it does instead of for what you want it to do is to not provide those affordances in the first place — even if it means you therefore don’t get to build any neat acorn fetchers.

am i saying that the entire modern web is bad? yes, i am saying that. am i saying it is unfixably bad? yes, i am also saying that.

(one of the many many things that drive me up the wall about computer science departments is that they’ll often stand up perfunctory ethics-in-computing classes that tell students that technologies are morally neutral / demand students repeat that claim? which is, to be blunt, complete gibberish nonsense from sillytown as claims go, as they would know if they bothered to listen to anyone from any of the departments that actually care about ethics in technology.)
posted by bombastic lowercase pronouncements at 2:53 PM on April 8 [2 favorites]

Very tiny quibble with the post’s phrasing: this is an article published at a security conference that happens to be run by USENIX, not a capital-R “Report” from the USENIX association.

It’s a minor distinction, but it’s helpful to give credit to the actual researchers at ETH Zurich. USENIX is a fine association (of which I’m a member!) but AFAIK they are not themselves doing cookie research.
posted by learning from frequent failure at 3:00 PM on April 8 [5 favorites]

and like wrt banning fingerprinting by law, lol it’s often possible to passively — and therefore completely undetectably — fingerprint you via html headers.

the web provides nasty affordances that can be trivially used for reliable stalking of a type that law can’t see. and like it’s super useful for other things too, but stalking is the most lucrative thing you can use it for. it’s not an acorn fetcher, it’s at best a gun with acorn fetcherlike characteristics.
posted by bombastic lowercase pronouncements at 3:05 PM on April 8

I have a pi-hole and Privacy Badger and tracking protection turned on in Firefox and a separate Facebook container... and I still get clearly targeted ads at home. It's probably just our IP number from our home connection and browser user agent that's enough to make that work. Short of moving to Tails, I think I'm out of options.
posted by i_am_joe's_spleen at 3:14 PM on April 8

Imma let y’all finish, but I didn’t see any way to stop {Home Depot,Lowes,Best Buy} from forcing me to shop in $TELCO_IP_LOCATION after accepting cookies erry tiem x 1e100 times.
posted by drowsy at 6:54 PM on April 8

Of course I think it's bad that these companies are being dishonest and collecting information without permission, but am I right in thinking the reason everyone objects to these cookies is that they are used to build profiles to show targeted ads?

I decided several years ago to just always click Accept on these banners, because I didn't find these cookies particularly threatening. But I also have ad-blocking software in my browser, so I don't generally see ads anyway. So given that I'm not bothered by the advertising implications, are these cookies really that bad for me?
posted by mokey at 10:35 PM on April 8

and like wrt banning fingerprinting by law, lol it’s often possible to passively — and therefore completely undetectably — fingerprint you via html headers.

You mean HTTP headers, and it’s nowhere near the same thing. When your browser connects it shares the User-Agent header and a few other things which tell the remote server that, say, you’re using Chrome on Windows 11 so they can put you in a demographic bucket but not uniquely identify you unless you’re using a very unusual combination (sorry Firefox on OS/2 retro-computing fans). Even tossing data collected from JavaScript into the mix won’t change that too much more since things like the location APIs require prompting.

The most uniquely identifying bit of information a site gets is an IP address. If you’re a single person whose ISP doesn’t rotate addresses or use NAT to share them across customers, that might identify all of your home traffic uniquely for years but if you’re a mobile user it might only narrow it down to, say, all of the people using the same phone in your region. This is what services like VPNs, iCloud Private Relay, etc. are designed to control but you do have to gamble that your provider isn’t cheating - for example, Cloudflare and Apple claim to have a system where no single server can link a request coming into iCloud Private Relay to the request going out to the remote server using some cool blinding techniques but you are very much trusting them to have implemented that correctly, just as you’re trusting a VPN provider not to be logging more than they promised.

Cookies are a step beyond that in terms of reliability: when you make a request your browser includes a value that the server previously gave you, allowing the server operator to precisely link that request to older activity without any confusion about things like changing IP addresses or multiple users sharing an IP. That’s great for logins, shopping carts, etc. but it’s very much a trust exercise like a store loyalty card. The big concern here has been third-party cookies set by other servers referenced by the page you’re viewing since that allows companies like Facebook or Google to see all of the sites you access which use their sharing widgets, ad networks to see every page you visit from any of their customers, etc. Browsers have been limiting third-party cookies – this is why your very first privacy move is not using Chrome, since the ad company which makes it stalled on that for years – but it’s worth noting that there’s no technical reason why NYTimes.com can’t voluntarily share the same information to an ad network which can use it to confirm that the same exact client visited a different site: they just haven’t done that as much historically because they didn’t need to before cookie blocking came along. The more widespread that becomes, the more sites will put the extra time into alternatives.

This is really why the focus should be on regulating the data rather than the techniques. Now would be a good time for all of us to contact our representatives asking about punishments for non-compliant companies since there’s too much money on the line for technical measures to be sufficient.
posted by adamsc at 6:11 AM on April 9 [2 favorites]

Yes, ultimately the issue is the US' particularly ratshit regulatory framework for privacy.
posted by i_am_joe's_spleen at 12:54 PM on April 9 [1 favorite]

punishments for non-compliant companies

It's not that I disagree with this stance—I think it's the right thing to do—but let's also take a realistic view. "More laws and regulation cops" hasn't resulted in solving wage theft, insider trading, illegal union busting, and all manner of other shit that's perfectly illegal but very profitable. That's not to say we don't want regulation to exist, obviously. Regulation needs to exist when people's data, privacy, and potentially literal lives are on the line.

But turning our backs on "technical measures" means trusting hostile entities—the literal bad guys in this scenario—to do the right thing, or trusting indifferent entities—cops and regulators—to prevent it. This war has to be fought on all fronts.
posted by majick at 7:37 AM on April 10

You are not currently logged in. Log in or create a new account to post comments.