British data watchdog brings cookies to G7 meeting – pop-up consent requests, not the delicious baked treats Cookies are on the menu today for the G7 as the UK's Information Commissioner's Office (ICO) proposes to the group of leading global economies that consent pop-ups should be reduced. The ICO said it would call on fellow G7 data protection and privacy authorities – three of which used to be its fellow EU member states – to work …
"Just ban third party tracking."
Exactly!
And cookies are just the tip of the iceberg...
I'm seeing more and more websites using fingerprinting scripts such as "fingerprint.js" which can detect not only the type of browser the person is using but also the exact make and model of the device.
These fingerprinting scripts are also a favorite of malvertisers and APT's to be able to launch targeted exploits.
https://github.com/fingerprintjs/fingerprintjs/tree/master/src/sources
You don't even need access to the TLS connection to fingerprint, I tested Cloudflare and found they included stuff like the CipherSuite when making the connection to determine device and browser.
The Cipher suite is the list of supported encyption algos for the client device when making a TLS connection, you wouldn't need the content to fingerprint the source:
It looks like "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"...,
It varies depending on the browser and version and device support of which suites making it very useful for fingerprinting, without needing the TLS content.
Cloudflare, having a fingerprinter, a Content Delivery Network, a Certificate issuer, a Certificate Transparency Log, and a DNS service, AND a service that delivers mock pages ('browser landing pages') very very quickly for any site anywhere, means you cannot trust *any* TLS connection at all anywhere.
So Techdirt for example, has a Cloudflare front end where I am, and so I never read or comment on Techdirt. In other countries it does not, dependant on the country. I have no way of verifying any of that and the TLS is inherently untrustable for that site.
Speech *is* dangerous to some people. True speech is worse. And it does have consquences. So be careful what you say, *particularly here*, *particularly in the UK* and in countries where surveillance is both'competently run, and out of control.
... while Whitehall gets on with chipping away at the real data protection (UK-GDPR).
It would be more convenient for the UK ruling junta if the banners go before UK-GDPR does, because otherwise people might think something is amiss if the UK-GDPR underpinnings disappear and banners for sites hosted in the UK change to "All your data are belong to us and anyone we sell it to [ACCEPT]".
UK's Data Protection Act 2018 is binding domestically now, not GDPR, since the end of last year.
However, to process EU data, UK has to follow GDPR as does the US.
Of course UK will break GDPR, while loudly saying it isn't, similar to Ireland protecting FB. But at some point the EU will say 'enough' and data flow to UK from the countries subject to EU law will be illegal under GDPR.
See https://noyb.eu/en if interested in the Schrems litigation.
They don't know nor care what cookies are. To them, the problem is the stupid banner that gets in the way on websites until you click something to make it go away.
The banner isn't telling them anything they care about, so it's just an obstruction. They know it's something to do with cookies, whatever they are. But if the banner disappears, as far as they're concerned, problem solved.
That's not completely irrational. It's ignorant of course, but we're all ignorant of things we don't care about.
"[a] future, where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website"
Given the criteria for exemption from cookie consent it's hard to see how automation could be made to work at all. They have nothing to do with readily testable attributes such as origin or persistence, for example, but are based on necessity for provision of the service:
the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network;
or
the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent. [ICO Guide to PECR].
I for one can't see how the distinction between such cookies and all others could possibly be made by a web browser or client side app as it can have no insight into the provider's service architecture or corporate purposes.
Consequently the almost certain outcome of any proposals will tend towards weakening the control folks have over cookie based data slurping. Indeed the Ministerial foreword to the currently open DCMS consultation on Digital Regulation states "we will take an unashamedly pro-tech approach". Which of course in reality means "pro tech-corporate approach", so goodbye privacy for those of us who care.
I for one can't see how the distinction between such cookies and all others could possibly be made by a web browser or client side app as it can have no insight into the provider's service architecture or corporate purposes.
This is not the point. It's not for the browser to work out whether a cookie is required, it is a legal requirement (under GDPR) that a web site not track users without their consent. Of course, this is a paper tiger if the web site operator is outside the reach of the EU* (although breaching parties could find themselves in trouble if visiting the EU, or if they have business interests there). However, it does mean that trying to track users in this way, without their consent, within the purview of the member states can be a very costly mistake.
*and UK, kind of, as long as we want to keep our data-equivalency with the EU, which our current government seems keen on throwing away.
It doesn't have to, the browser just sends a 'no ad cookies' request to the site and it's up to the site to obey. The browser doesn't enforce the site behavior anymore than the popup banner does.
What the ad men are afraid of is no one is going to click yes to a simple 'do you want spam' option when they install the browser, even if they would click 'accept all cookies' rather than navigate a 10page preference page at a every site
"It doesn't have to, the browser just sends a 'no ad cookies' request to the site and it's up to the site to obey."
Nope, you're looking at it the wrong way round. The browser doesn't need to have to send a thing at all - as per PECR & GDPR, cookies (or other tracking "things") can *only* be used with consent, unless they are strictly necessary for the functioning of the website (which doesn't include analytics for instance).
So a "please-track-me-any-which-way" HTTP could well be defined as a "cookie banner" alternative and used when people want to signal that they consent to being tracked but the default lawfully compliant scenario when no such header is sent (or sent with a value "No") is for *no* tracking to occur.
In the same way, all these "by continuing to browse our website you agree to our Privacy Notice and Cookie Policy" banners are not legally valid. Likewise for any sites putting Google Analytic links in the HTML NoScript tag on their webpages to track people who have Javascript disabled.
Many people know about cookies but are unaware of other means of tracking a browser or user. So, for the purpose of this review, a cookie should be defined to include: local storage, browser fingerprinting, etc.
Different sorts of cookies need to be understood: cookies from the site that you visit are very different from 3rd party ones. Session cookies (short term ones that tie together pages visited over 1/2 hour or so) are different from ones that survive over weeks & months.
Opting out should be no harder than opting in. Some web-sites or apps have opt-in with one click, to opt-out you need to click every type of opt-out.
The review should be about (mobile 'phone) apps as well as what happens via a web browser.
Web sites should list every cookie that it (any any 3rd party) sets and say what it is used for.
You should be able to opt out of every sort of cookie - with the exception of session cookies.
Isn't that how cookies work anyway? Cookies are set against a single domain. So website operators who use third party tracking tools on their site are setting cookies against the third party domain. So partitioning by website doesn't really make a difference. But turning off third party cookies would.
> People automatically select "I agree" when presented with cookies pop-ups on the internet, she argued, so they don't have meaningful control over personal data.
"People" may do that but I don't. I click REJECT ALL and if that option doesn't exist I close the window.
But then I also do wierd things like read what is written on the screen rather than blindly pressing buttons like a toddler on a sugar rush.
I click reject all as well. What pees me off is people like ziff davis who re-ask the question REPEATEDLY on the same page. and again when you restart the browser. I'd think a cookie saying 'I do not want all this tracking' would be within the letter and spirit of the law, rather than just the letter as currently.
<<I'd think a cookie saying 'I do not want all this tracking' would be within the letter and spirit of the law, rather than just the letter as currently.>>
That requires leaving the cookies on your computer. My browser is set to delete cookies when closing. It does, I've checked, and I don't leave the browser open from starting my PC to going to bed.
I can see how Iain Duncan Smith might well find it rather hard to solve a "complex" problem like deciding which of the two buttons to press.
"I Agree...I Don't Agree....... it's just so confusing isn't it?"
Also doesn't realise that it makes him sound like Alan Partridge when he found an "additional costs" item on his hotel bill and then claimed he got confused when his tv asked him to confirm whether he wanted to watch the adult pay tv channel or not.
"But after a bad run in Afghanistan, and facing down COVID-19 and post-Brexit supply chain disruption, Boris Johnson's government could do with a distraction."
Thought you were talking about the EU gov until I got to the end of that sentence. Since most banners are deemed illegal anyway we should probably just tell people to do away with them. And surely nobody will mind if the rules are not enforced already anyway.
...and that is to not try to do things that require a user's explicit consent, such as spewing their adverjism* in the user's face, or tracking and profiling the user in an attempt to monetise the user's visit to their site. Note that it there's nothing to stop a site from showing adverts that don't require tracking of the user.
*You're welcome.
Odd how all the papers are reporting this as a "good" thing. "getting rid of the hated cookie prompt".
What's really weird is seeing Mr A Orlowski (late of this parish) spouting the same nonsense in the Telegraph.
It really starts you wanting to reach for the tinfoil hat, when suddenly the machinery of Government, and almost all print journalists, start banging on about "Modernising" data protection, with the first proposal being to reduce it. You do start wondering why the press is supporting the Government on this anti-people measure - are they really working in cahoots? Is what the nutters say about conspiracies true?
@Missing Semicolon
"start banging on about "Modernising" data protection, with the first proposal being to reduce it."
Can modernising not involve reducing something? I dont know if this will be a good or bad thing but one of the reasons to ditch the EU is to reduce the burden of forever more rules.
The whole cookie deal is too complex for the average punter. Session cookies, first party cookies, third party cookies (what about second party cookies), cookie expiration, tracking cookies, why not call them biscuits, fortune cookies; the head spins.
Even here they are not fully understood. First party cookies are not only session cookies. How does a site "keep me logged in" or "remember me" or in some poor implementation instances "remember my preferences"? Answer: first party cookies which are not session cookies. Did you know a session cookie can also be a third party cookie? See, not clear cut. I am sure I do not know all the flavors of cookies or biscuits.
Part of my anti-tracking routine is starting all browser sessions with a clean slate, no site related data retained by the browser. I also attempt to block other tracking methods but it is not easy. Nor do I think I am being complete and successful. I only hope to not be the low hanging fruit.
My wish for the decision (even though I am extra-jurisdictional) is that it not make my approach harder or ineffective. Being a USAian I do not expect to benefit from the EU or UK attempts to curb the private data slurp. On the other hand, I should also not suffer from poor implementations like cookie consent banners.
That is all.
I don't see the big problem, not as they see it.
Once you've said yes once, you don't generally get asked again by that particular site.
I'm definitely not interested in a browser based cookie setting that applies to places I've never visited yet.
Case by case basis is fine.
Cookies for site functionality are excepted anyway and at least with the pop up you can choose from the options available.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
