Good
Even before GDPR most sites abusing intent of Cookie directive. Many newspapers (UK), Google, Tumblr etc are abusive in the giant page of options.
Unless the site has a login you are using there is NO good reason for a cookie.
Take-it-or-leave-it cookie walls don't comply with the General Data Protection Regulation, the Dutch data protection authority has said. Cookie walls - meaning you can't come in unless you eat them - also known as tracking walls, are some of the most severe strategies used by companies to slurp folks' data and stalk them …
Yes, I visited a local paper site and had to manually disable over 70 cookies in the preferences pane. There was no option to disable all. A lot of other sites do it properly, but such site as the paper or ones that refuse access altogether should have their knuckles proverbially rapped.
Unless the site has a login you are using there is NO good reason for a cookie.
You need to distinguish between persistent and temporary cookies. One of the most common uses of cookies is to preserve state between requests. Even without any login, any site that isn't just brochureware probably needs session state. It's possible to preserve state without cookies using request and response data, but this is really just a diy cookie.
When properly implemented, session cookies are harmless. Their lifetime and accessibility should both be limited to the current session.
Indeed, a shopping cart is the example par excellence of why you need something like cookies. You could pass session ids around as part of the URL if only they couldn't be subverted so easily…
I wonder how http/2 fits into this, because it does explicitly allow for persistent connections.
"Indeed, a shopping cart is the example par excellence of why you need something like cookies. You could pass session ids around as part of the URL if only they couldn't be subverted so easily…"
Except of course in the case of the shopping cart, those cookies may be required in order for the website to provide the service that the visitor is actively choosing to use, as such the website operator may not even require consent (no expert but I think contract / legitimate interest would cover it).
Explain, why a news site, or anything where you didn't need to log in, needs a session cookie? It doesn't.
Any site to do with purchases, tax etc needs a login.
Commenting should never be without a login.
I struggle to remember using a site that needs a session state, that you didn't have to log into first.
"Even without any login, any site that isn't just brochureware probably needs session state."
That would be the ones "essential to the operation of the site" which are allowed under both GDPR and the previous incarnations. That's the problem. Most of the "cookie banners" simply say "we use cookies, deal with it or piss off" because the site operators either don't understand the law or are deliberately abusing it.
"Well they seem to be starting to issue enforcement n the major players at least - thank goodness we are part of a major trading block - ohhhh whoops"
If the UK want's to be able to trade/transfer data with the EU then we'll need to retain GDPR or something so close to it as makes no difference. And we'll have to show we enforce it to at least a similar level as the EU, or we lose a lot of our connections. On the other hand, we could just keep applying imported US fig leaves and pretend everything is ok until the next legal challenge. Rinse and repeat.
A internet full of popup messages asking you to make decisions about something that ultimately could be much better handled in a browser that just denies cookies until you enable them on a per site basis?
Sites are just horrible to use now. It's a absolute mess.
The internet now sucks more than ever!
I got fed up of being hit with cookie messages so I have an addin in Firefox - temporary containers which opens links in a private session then when i leave the cookies etc are deleted. Seems to work well, especially when opening youtube links as I can now watch a clip without it knowing and saving what I watched.
"I've put around 30,000 tracking addresses (and the complete Facebook domain name space - around 1,500 tracking addresses) in my hosts file"
That works nicely for one computer, but what else is sharing your internet connection at home? Get yourself a Pi-Hole and be done with it for your whole home. As a nice fringe benefit, your hosts file will get a lot smaller as well.
Get yourself a Pi-Hole and be done with it for your whole home.
A Pi-Hole might protect your devices while using your home network, but it won't help when those mobile devices (phones, tablets, laptops) are used on other networks - friends, work, random hotspot, etc.
For laptops at least you could create a virtual machine running the PiHole software, but that could be more difficult with Android/iOS devices.
If you were really keen, could probably make a battery-operated PiHole and use that in between your device and the network being accessed.
The only problem with this approach is the next time you visit the site, it'll detect there's no cookies and nag you again - if it doesn't already nag you every single time you visit regardless, like alot of the local rag (i.e. Newsquest) websites do.
"The next stage will be to see whether European data protection agencies take enforcement action."
I hope they do.
I am currently in a dispute with the hosting company of a SIG that I am a member of. They have recently been bombarding all members with warnings to move to one of their accounts stating "The sooner you connect your forum account with a XXXXX account, the better, since it will happen anyway." Charming.
On looking at their "privacy policy" it basically states that they will scrape every bit of your personal data and flog it to the highest bidder. I am not happy with this "take it or leave it attitude" so if push comes to shove I will leave but in the meantime I have sent them a letter based on a template provided by the ICO. Oh, and I have let NOYB know what is going on. The hosting company now have 28 calendar days to respond. This, I presume, starts on the day they receive my letter because if not, they have 20 calendar days due to the slowness of the postal system in the US. It took 8 days to get delivered. What were they using, a tortoise?
I keep hitting these sort of 'walls' and when you look under the cover there are hundreds of third party sites listed and all selected by default, and no way to unselect except one at a time. I just go elsewhere so the choice is obvious - they lose any chance of my accessing their site :) This mainly seems to be media services and news sites often linked to from my main news feed the BBC so perhaps we should be flagging this back to them so they can provide better third party sources?
BBC do not vet or take any responsibility for third party sources. They are just quoted for your information.
The (usually local) Paper newspapers / websites with lots of individual "no-consent forms" have caused me to stop buying their published newspapers and stopped trying to access them. Double penalty, as a pre read on web usually caused me to buy paper.
Unfortunately, a vast proportion of sites deals with this in a "we are hereby notifying you that you will be tracked - there's nothing you can do about it" fashion, linking to nothing more than a privacy statement or a list a entities they use to track you, without any options attached; at most, they vaguely handwave in the direction of those, saying "how you may or may not deal with those is not our problem". Do you know what GOG's (who are allegedly the good guys see DRM and all that - well at least the less bad buys...) banner looks like...? Well, prepare to be amazed:
"Not like it changes anything but we are obligated to inform you that we are using cookies - well, we just did. More info on cookies."
Yes, really. Literally. And guess what, there's a comprehensive list of all types of cookies in existence on that page, and not a single checkbox. There is this instead:
"HOW DO I CONTROL COOKIES?
Although most web browsers automatically accept cookies, you may adjust settings on your browser or device to prevent the reception of cookies, or to provide notification whenever a cookie is sent to you. Further information about the procedure to follow in order to disable cookies can be found on your Internet browser provider’s website via your help screen. Also, some of our partners are members of the Networking Advertising Initiative (“NAI”) and/or the Digital Advertising Alliance (“DAA”) – organizations who offer a single location to opt out of receiving tailored ads. If you wish not to have your information used for the purpose of serving you targeted ads, you may opt-out by visiting the DAA's Consumer Choice page and/or the NAI’s Consumer Opt-Out page. Please note this does not opt you out of being served advertising. You will continue to receive generic, or non-targeted, ads."
How in the blazes is this possibly legal?!?
Quite, and it is getting worse. The other day I ended up on the website of our local paper to read something. The cookie blah came up and I had a look as previously I had rejected them. I now could not access the site and the option was to "Agree", nothing else. The only way to get rid of the window that covered the page was to use the browser back button. I investigated more closely to discover something in the region or 600 to 800 cookies (I stopped counting at 100" for "Our partners", all of which had to be individually deselected. A quick check on who own the paper and there other titles showed a random selection to be the same. This includes national titles. Reach PLC,
What also needs stopping is the growing prevalence of cookies that cannot be turned off as you need to go to a third party site, and usually create an account an login to "opt out"
As you say, total bastards the lot of them.,
Be careful what one wishes for. Operating a website costs a ton of money.
By restricting the operator of a website to make a few pennies by slinging a few customized ads, the "free" internet as we know it will slowly die out.
We end up with an internet controlled by big tech, and governments, because all the smaller initiatives are strangled by complex legislation and the limitation to earn some money.
Even when a website asks for permission to place a cookie, compare what a big privacy win a website offers compared to going to a shop:
- The shopkeeper can see ones car
- The visitor of a shop often gets registered by several security camera's
- The shopkeeper knows which bank one uses when paying with cards..
etc...
No idea why they are complaining, these people are probably lefties, once again now trying to kill of free internet with rules and limitations.
How on earth do/did tv stations manage to survive with trackerless adverts, huh?
As I read your post, I struggled to understand how someone could come up with such a silly argument, but then:
"these people are probably lefties"
Ahhh, that explains it. You are one of those who likes the abuses of facebook et al. and scoff at any clampdown, because... .SOCIALISM!
As for "internet with rules and limitations", you know it's your lot that got rid of net neutrality right?
But of course, laws to stop ISPs censoring your internet are in themselves censorship, according to FOX logic. (except FOX presenters don't believe that, they just now the stupid replublican voters will)
I know it's not a proper solution - these operators were in a morally dubious area before GDPR, and are now explicitly breaking the law, and this should be dealt with properly.
But whenever I come across any of these, unless I actually want to use legitimate cookie functionality (i.e. log in), I reopen in a TOR private tab.
Private because cookies are automatically deleted on exit; TOR to prevent them linking my private session to my non-private through my IP.
Why is block 3rd party off by default? I enable that on the browser straight after install. It's never broken ANY functionality. How are they even legal even before GDPR?
Also I block all or most cookies on most sites I don't login to. That also blocks Google's nasty multipage consent popup on search. Which has no "don't agree" or cancel. Blocking google cookies is the only way.
I use uMatrix
Also reduces my exposure to tracking and malware.
I have a cron job that uses sql to set all third party cookies to temporary, and also limit the lifetime of persistent cookies from non-whitelisted. It's the only way to do it on some android browsers...
But yes, the whole third-party cookie thing is to deliberately get around the mechanism for cookies not being able to traverse their domain - a mechanism from a spec. from back before large global ad companies using common domains existed. Third-party cookies should have been permanently voided in the spec. and all browsers at that point.
The cookie dialog should say:
"Access to badgerbotherers.com is not free.
Click >here< to select a subscription option,
or >here< to continue, and pay for access by sharing tracking information.
Click >here< for information on what information we capture, and who we share it with"
There is no actual reason why a web site should be free. Since the dialog is now just about payment options, the issue of GDPR does not arise, as the information<>access trade is now explicit.
No, many sites do not want to charge. They are either free (no scraping or adverts), basically the owner is paying for it. Or advert funded (need not have evil tracking & javascript, an image/text & link is all that's needed). Or funded some other way (Government, Support for stuff you bought, crowdfunded such as Wikipedia). Some are funded by adverts sold by the illegal snake oil of stealing your activity on the site and across as much of the Internet as possible (Facebook/Instagram/Whatsapp, Google/Alphabet). Others are selling stuff, so the site is free (Amazon, eBay).
Only a minority of sites suit a pure subscription model.
"There is no actual reason why a web site should be free. Since the dialog is now just about payment options, the issue of GDPR does not arise, as the information<>access trade is now explicit."
Wrong. GDPR explicitly says that access to the site must not be restricted by forcing tracking on the user with the only alternative to be to pay. And anyway, people choosing not to be tracked are far less likely to be the people who click on adverts, so the site is losing nothing whether they show targetted or "random" ads. Or are they still getting revenue per eyeball rather than per click?
I personally don't see a problem with a commercial website offering the option to accept the cookies or leave the website. If that is the only choice they don't get my business. I see it as no different than when a physical store might have a sign that says 'No shirt, No shoes, No service" it is your choice to go in the store or shop somewhere else that has a less restricted policy.
Obviously if it were a service providers website or a government run one that you have to access then that is a different matter and you should not then be required to accept cookies to access it.
Since Firefox and Palemoon have recently removed the option to allow or block cookies on a per-site basis, I've had to switch to cookie-handling addons, and most of my browsing these days is done in private windows, with only my core trusted sites allowed in a normal window. Close the window, and the cookies are gone.
Don't sites realise the more draconian their policies get, the greater the inevitable backlash will be?