Thought you'd opted out of online tracking? Think again Websites often provide visitors with the opportunity to opt out of data collection. This is not out of their abundant concern for your privacy – it's the law and they're forced to do it. But according to a trio of privacy researchers, opting out doesn't always work – visitor data still gets collected. Legal frameworks, like …
.. that some sneaky websites rely on the addresses blocked by PiHole to provide functionality, so you end up with a partially or completely blank page when visiting certain websites, HolidayExtras being one (I use it to book airport car-parking) and invariably my wife complained regularly that many web pages (mainly shopping sites) weren't loading or working properly with PiHole filtering all DNS traffic.
These days, the only devices filtered by PiHole in my home are the TVs, PVR and media streaming devices.
well, I use AdGuard Home instead of pihole, it has to be ublock origin, not ublock, and NoScript is in the past for me, I did use the (imo) better umatrix for some time, but now I don't bother.. too much micro management. Throw a dressing of "I still don't care about cookies" on top, and you've got yourself a nice internet experience. (if you use YouTube, don't forget SponsorBlock)
My list consists of ABP, Ghostery, uBlock Origin, https everywhere, Canvas Defender, Privacy Badger, Trocker, Enhancer for YouTube and Multi Account Containers. I'm considering getting the PaloAlto firewall under my desk sorted shortly since this supports decrypting https connections so they can be evaluated against the ruleset before being re-encrypted for onward forwarding, which might solve the Pihole issue vs FF dns over https. Its a lot of armor to put on, but when its cold outside you suit up. I also use a VPN when the need arises.
Don't use google, except perhaps for maps, use startpage.com
Don't use gmail. Maybe get your own domain since they're so cheap or there's protonmail and its ilk.
I have not seen any overt adverts for a very long time. If there's a site that I *need* to see that has issues I'll switch to edge briefly which imho is like walking out into the desert naked.
I'm sure there's still some very determined spam meisters able to approximate my online movements but they won't garner much.
I can't say I'm surprised.
A related element, which continues to baffle me, is the concept of "Legitimate Interest", which you can find all over websites in these consent management systems.
Some times allowing you to nicely decline all these with one button, other times requiring you to scroll through and click every single one of the pre-ticked boxes (at this point of course, you just leave the website), of which I can say I've seen at least 50 on one website alone. And then you press the "Accept all" button by mistake, and now good luck navigating to the consent management system hidden somewhere on the page.
I have no idea what differentiates Legitimate Interest from the general consent-requiring cookies, but surely since it doesn't require active opt-in, surely it can't really be that bad. Surely their legitimate interests run in perfect parallel to my own?
Its difficult because legitimate interest is supposed to cover things like an online retailer providing your name and address to a logistics provider so they can ship a package to you (or just provide a quote), or you consenting to your details being shared with stripe or Shopify for a small retail site. However, as you suggest, an advertiser has a legitimate interest in advertising to you from their own perspective (they aren't pretending that they want to advertise to you, so legitimate is the correct word to describe their interest).
"Its difficult because legitimate interest is supposed to cover things like an online retailer providing your name and address to a logistics provider so they can ship a package to you (or just provide a quote), or you consenting to your details being shared with stripe or Shopify for a small retail site."
Nope, that would be covered by GDPR Article 6(1)(b) "Performance of a contract", for an online retailer the "contract" would be fulfilling your order which would obviously require passing delivery details to a logistics provider and payment information to the likes of Stripe or Shopify.
Most of the Article 6(1) lawful bases do not require a "balancing test", Legitimate Interest does - the Data Controller must balance their interests against those of the individual and they must document this decision making via a Legitimate Interests Assessment (LIA, almost sounds like "liar" doesn't it).
I should add that my (now no longer internet connected) Samsung TV took this to the extreme. Hidden deep in the settings were consents- set to on of course- for hundreds of of data collectors. So many that they were grouped alphabetically A-C D-F etc. Each one had to be set to "off" individually, sometimes more than one switch for a given site. No "Reject all" switch. But of course there was an "accept all" button nicely placed to be accidentally turned on.
I should also add that, even in my 60s and generally pretty cynical I am still shocked that there are so many people prepared to do this- to cynically and knowingly choose to circumvent the public's rights with out and out overt trickery etc. People who can then go home and look their wives/husbands/kids/neighbours in the eye, and who can sleep at night. Maybe even some of you out there reading this.
I have used the small claims court and various consumer laws to force the retailers (as the laws apply to them not the manfr) to refund me in full or part for several bits of internet connected techno-junk.
I think the UK has broadly similar laws.
If you can't use the internet features because it is spying - and I would bet the retailer did not disclose any of that, then I would say you have lost 70% of the value of an internet connected TV.
I got a full refund for a Sony TV that played from you tube, when YT changed the API, and it stopped working. I had a reasonable expectation that the TV would work as advertised by the retailer for 3-4 years.
not to berate you, I'm like you and like practically everybody else - but to state the bleeding obvious - " didn't have the strength to battle this one " was 100% the intended effect of Samsung non-reply. The hoops get progressively higher, until only a handful weirdos remain, and even those, 2-4 years later, come back to the obvious conclusion: why did I spend x years wasting my time to get an automated acknowledgement that they're very sorry, and this feature is no longer implemented in current product line (while, at the same time, they have already implemented another 'feature' in their current line - with exactly the same purpose. Whack a mole always works - at least to the benefit of one party.
My excuse is that I'm getting too old for fighting every damned battle that that no one else can be arsed to do. I think the Brexit nonsense (which a lot of other people could be bothered to fight but it still didn't get past the lies) did it for me.
IMHO, the ONLY area that they are smart is in collecting as much information on you as possible. Every little bit of data... Yes, even when you use the toaster can be used to build a profile of you. Once complete, they can sell it to all and sundry.
I will never connect any appliance (Kitchen, laundry and TV) I buy to the internet. If I buy something and it stops working because of that then it will be returned as 'not fit for purpose'.
> People who can then go home and look their wives/husbands/kids/neighbours in the eye, and who can sleep at night. Maybe even some of you out there reading this.
"There are hardly any excesses of the most crazed psychopath that cannot easily be duplicated by a normal kindly family man who just comes in to work every day and has a job to do." ― Terry Pratchett.
I have no idea what differentiates Legitimate Interest from the general consent-requiring cookies, but surely since it doesn't require active opt-in, surely it can't really be that bad. Surely their legitimate interests run in perfect parallel to my own?
Upvoted for perfect dead pan sarcasm.
Legitimate Interest - you can be absolutely certain that consent boxes for this are anything but legitimate.
Any legitimate interest is limited to that information that the website operator requires to provide you with the service of the website and the product or service you may order via that website. They are legally entitled to record this information without asking for consent.
Therefore, the fact that some of these consent boxes include categories labelled 'legitimate interest' immediately tells you that they are <not> legitimate interest at all! Any website that tries this con on me gets terminated immediately.
For fun, check out jamieoliver.com - in the cookie management pop-up, if you click to expand the vendor list... The sheer horror of it. Your site with 50 trackers - almost doesn't count.
On my phone, in vertical orientation, my scroll bar is about 3 pixels tall. It is near infinite.
It seems that nearly all websites have this "legitimate interests" bit tucked away, with EXACTLY the same headings as the ones we have just declined. How on earth is "Personalised ads" a legitimate use FFS ?
I've just visited a site to get a sample. The "Evening Standard" (a newspaper in London, England). Their "Legitimate Interest" tab doesn't even have a scrollbar so that you can see the things they are assuming you want to opt in to. They do however have a Cancel button, which takes you back to the place where you have implicitly agreed to all the shenanigans, and a Save button, which tell them that you have EXPLICITLY agreed to all the shenanigans.
Genuinely believe it's too much regulation for SME's to honestly follow even given their best efforts. When you hire a web dev or team thereof who provides a cookies consent form for multiple downstream suppliers yet you don't REALLY know if it's working and it takes in depth research like this to prove one way or the other.
You have to trust the suppliers.
Yet no bigger org is suitably punished like Facebook with it's "it's not consent, it's a contract" approach to the problem which was allowed to go WAY too far as a defense. Really should be top down, and supplier based war on drugs style (except actually landed in morality and ethics) - target the suppliers and sanction those outside of legal reach, then work your way back in.
When people don't get paid for the ads they provide and have assets temporarily frozen for dealing with sanctioned companies, you bet they'll take notice of who they deal with, or stop taking the risk of (unwanted in the first place) ads at all
Compliance is trivial - don't collect the data. You don't need it, and it's objectively worthless anyway.
All it would really take is for a couple of maximum fines. Even better, the fines would be a significant proportion of annual tax take, so would knock a decent dent in the debts of whichever government had the spine to do it.
Your point is completely true but all I'm saying is that putting a single ad on your site, or signing up to gather some performance metrics from a third party: You can only see what the suppliers want you to see - not what they gather, keep and then pass on. And your cookie consent form only presents to your customers the information you have.
Absolutely punish them. Just punish the right people is my point. Wilful ignorance isn't an excuse but precedent has already been set that suppliers can be trusted because fines haven't gone out thus far. go after the ad/tacker companies and not those SME's that have been lured in by those companies and just so happen to set the cookie.
The lack of punishment so far has given the ad shovellers a massive air of legitimacy and I don't really trust a crackdown to target the real offenders, just the soft targets of SME's, not the Googles and Facebooks of the world.
"No web site requires any cookies."
Umm, how do you think you logged in to your account, and remained logged in to actually be able to post that comment as you, then? [1]
A functional cookie retains that sort of browser state between page loads (as http is stateless), and genuine functional cookies are explicitly allowed as they are required to enable that particular functionality that you requested. Not all cookies are evil (although those that you don't need or want can be).
[1] There are probably other web technologies nowadays, such as local storage, which could do essentially the same, but these would be deemed to be similar to cookies for the relevant laws.
As it happens, I'm OK with session cookies. But that's not the point. No site requires cookies. It is perfectly feasible to embed a session token in the URL or indeed the body of the pages.
I do a fair bit of web development (albeit mostly not public-facing) and never set any cookies. OK, the stuff I work on is single page applications, so the state doesn't need to survive page loads. I'm not suggesting for a moment that it's necessarily a good idea, but this web site could have that architecture too, technically.
-A.
how many CEOs (or others at similar level) have been put behind bars? A few. Do any CEOs pay 'global fines' from their own pocket, or from their bonuses? Generally they move so quickly from one business to another, that you can't pin the blame on the current one, it was two guys before your honour! But yes, we will settle out of court, yes we do have funds, but let's sit down and negotiate, it's a little too much...
It's time we started fining the Investors.
Then business might take note.
Even if a CEO goes to jail, a big enough company can just get a new CEO. A threat of jail just means they get more danger-money. But if, in extreme cases such as those water utilities flushing raw sewage into rivers, if the investors were fined a small percentage of their shareholding for each breach of the law, then mis-behaving companies would eventually be taken into public ownership. That ought to give the board of directors reason to clean up their companies' acts.
Surely if the fine is substantial enough and the press negative enough, the investors are 'paying a fine' indirectly by a devalued product.
Regarding CEOs moving on and getting paid more danger money. If a CEO moves on and is found guilty of past crimes in another company then...whats the problem with prosecuting them regardless of whether they're current or not? For danger money, the answers simple. All previous money, and the things it was spent on are 'proceeds of crime' and so get taken.
Like I said, the fines, the prison sentences and the impacts aren't high enough yet for CEOs to stop being cunts, and their colleagues in government who permit them to get away with all this aren't any better.
Short-term "investors" aka speculators, are quite happy when the value plummets (especially if they can predict it) as they can go short on the stock and make even more of a fortune from scandalous collapses than long-term investors can make from a well-managed company.
However, if when the government fined a company, it actually confiscated 1% of that company's shares, then even the short-sellers would lose out, because the stock price hasn't gone down, there is just less of it available.
And then for repeat offenders, such as water companies, the government would end up as a controlling shareholder and could forcibly clean up the company's act.
Even though cookies were the most accurate way of tying an ID to sites and adverts, what happens now instead is that every click-through and site visit is tagged with your ID and those clicks are themselves sent to analytical aggregators that use probabilities to tie your social media ID. The cookie laws are irrelevant and simply bypassed.
And yes - the way the opt in/out panes work is a simple logical OR of Allow or Legitimate Interest for you to be tracked.
Some of these opt-in/out tracking panes refer to a long list of 3rd parties who you have no direct control over whether they track you or not.
These analytical aggregators have strict NDAs with the social and search giants so they cannot publicise what they do.
As the researchers found out, the companies are complying with the letter of the law but not the spirit and in some case not even the former, through outsourcing of tracking under NDA and other contractual terms that keep them free from direct accusation of non-compliance.
I am not sure whether that is true? It remains the legal responsibility of the webmaster/owner to comply with the law. It is for them to check and ensure that any third party they use for providing consent management does indeed provide the protection that they claim. It would be the website operator that the law would go for in the first instance and I doubt whether a plea of "they said their app was compliant and I took them at their word" would get them off the hook.
"I doubt whether a plea of "they said their app was compliant and I took them at their word" would get them off the hook."
The CNIL specifically states that "bon volonté" ("but they said...") is an unacceptable excuse. A Data Controller is obliged to audit Data Processors that manage data on their behalf.
This was written in the context of, say, your employer outsourcing their HR or whatever. However it would be interesting to determine if visiting a website causes personal information to be collected (even if by a third party), since it's the visitation that triggers this, does that make the site owners the Data Controller (and, therefore, the responsible party)?
I'd Google, but far too much "check your site is compliant" spam for a Friday evening.
These analytical aggregators have strict NDAs with the social and search giants so they cannot publicise what they do.
As GDPR says data subjects have to be informed what their data is being used for signing a NDA like that makes it impossible to claim to be GDPR compliant in good faith.
"But we couldn't tell them what the data is being used for - we were bound by the NDA with $ad_flinger" won't get them off the hook either, you can't overrule laws with NDAs.
To be fair, I've seen a positive trend recently, where more CMP will now default to opt-out when you choose to 'Manage my choices'. They will still make it easier for you to 'Accept all', through careful placement and highlighting of the choice buttons, but at least the Reject option is a 1-click process.
Only a FEW do this. The vast majority tuck in a corner the "Legitimate interest" button. Looking there WILL show that EVERYTHING you thought you had opted out of is set to "allowed".
It's a straight logical OR for these sections in the site code, if they take any notice at all.
Consent Management platforms are bullshit anyway.
There's one that has the primary uses on the intro panel, with "legitimate interest" as a button on the bottom right. All of which are preticked (with an easy "Object all" button at the top).
In the course of a browsing session, you'll run into this platform numerous times, and each and every time it's the same bloody story.
They COULD use a strictly necessary cookie to remember your choice, but they choose not to (though I'm sure if you said yes, they'd not keep asking) because they're hoping to annoy you into agreement.
A pox on all their houses.
The law says that opt-out is the default.
The law? There are ~180-200 countries depending on who's counting, federated systems like Germany and the US have major amounts of sub-national level laws and cross jurisdictional enforcement is a Panamax container ship load of worms. Add to that bullshit fictions like "legitimate interest" and dealing with tracking abuse is worse than fighting the Hydra. A mandatory death penalty for first offences might bring it down to tolerable levels.
Oh, how I should like to see that. Start with spammers. Let the trackers watch as the (necessarily) giant cat whacks and pierces the bodies of the scumbags before letting them die in agony, knowing that they're next.
Sorry, that was a bad dream. In real life I'm vegetarian and pacifist.
And yet....
-A.
.. is complete bollocks as well.
All mine are set to off, including my phone
Add a REALLY obscure band of the 90s to my Spotify playlist (Sheep On Drugs if you're wondering).
Two days later they appear in my FB feed, despite nothing I follow in anyway relates to an obscure no hit wonder band
So as a test,I added sk8ter boi by Avril Lavigne. Again no way related to Sheep in Drugs or any other band I listen to.....it took a week for her to pop in my Instagram.
This post has been deleted by its author
> the former singer of Sheep On Drugs tattooed my arm
You read about this sort of thing all the time in the papers.
There you are, calmly walking down the street, when - blam! You've been tattooed by an ex-indie band singer! Next thing you know, some John Cooper Clark tribute act has corniced your shopping bag in the Rococo style and the police are no help at all "Sorry sir, we don't deal with any architectural styles prior to the 1920s Revivalists". What is the World coming to, that's what I'd like know.
Sorry, what were talking about?
The answer to issues like this is encredibly simple
Fine the transgressors of laws/regulations with a percentage of their revenue.
There isn't a company on earth that will not pay attention to that. If you fine based on their profits then they just shuffle money around in their accounting statements. If you give a fixed fine, it's unfair to the small guys and pocket change to the big guys.
If you fine 1% of their annual revenue these transgressions will disappear overnight.
Finland has done it for decades with traffic fines. It works incredibly well.
In the UK we have the ICO, whose job it specifically is to do exactly that. If only they would/did. They don't. Around Europe many ICOs have done small things, but not the big things. Mr Schrems gets much credit.
But the problem is voters aren't going to like not having access to Facebook, Instagram, Google and the like.
So we get what we 'want', collectively, whether we few here agree or not.
"but not the big things"
France's CNIL keeps going after Google for multiples of €50,000,000, and recently ruled that the use of Google Analytics on French websites was not legal (which meant huge swathes of GA vanished in a hurry).
Okay, it's not 4% of turnover, but they are rocking the boat.
"Finland has done it for decades with traffic fines. It works incredibly well."
... at making money. Nothing else. Literally. Very poor example.
'Traffic violations' have increased from ~100k cases per year to ~300k cases per year, while revenue from fines has increased from 65M euros to 220M euros per year, from 3.5M cars. The *goal* for Police is to get 600k violations per year.
Someone might wonder why the *goal* is to *increase* traffic violations, but obviously Jo Ma Sepoes doesn't. Anyone else might think it's all about money. Not safety as safety is not even mentioned when goals are discussed. No wonder, safety hasn't changed at all.
Not a surprise: Highway robbery doesn't increase safety ... and nothing else has been done.
People need to understand that GDPR wasn't created to offer better privacy or to protect user personal data.
First we had the Cookie Law that trained people into clicking consent boxes without reading.
Then we had a GDPR where people who are already trained into clicking boxes without reading consent to processing their data.
Now big corporations have personal data that they can legitimately process and sell and before the GDPR it was a grey area.
Downvote because while the EU makes the rules, it's up to each country to enforce them. Some countries have organisations that do attempt to provide enforcement (even if it is a slow legal process), while other countries have organisations that are best described as "not fit for purpose".
Legislation without sufficient enforcement is useless. Back in the C19th when the Factory Acts and the like were introduced an inspectorate was set up to ensure it was obeyed.
The same thing is needed now along with a provision that was in DPA 1.0: the power to forbid further data processing until the situation is remedied. Party inspected tries to hide from the inspector via an NDA? Told to take down the site Right Now.
> Prison time for CEOs
They would still find a way around it.
Like hiring some old lag who who'd been institutionalised years ago to sit as "the CEO": his/her going back into clink would no problem - going into white-collar open prison would be a holiday, a cushy number.
Meanwhile, "Vice President of Boardroom Seating" carries on running things and smiling all the way to the bank.
A fun one to check out is any *.fandom.com website.
On a few occasions now I went to the trouble of unchecking all vendors in their consent dialog (an excessively and unreasonably time-consuming process in itself - not to mention dishonest since the selected purpose might be disabled but all vendors listed within the collapsible section for that purpose remain enabled)
Funny thing is though in some case the options for some vendors get re-enabled after I had explicitly disabled them. I only know this because on one occasion it happened as I was unchecking other entries further down without me choosing to do so.
and I'll say it again - tracking won't end until there's a high profile trial ending in jail time. Put the CEO and board of, say, Google in the tanty for about 10 years, general population, normal prison instead of Club Fed, along with confiscation of stock, huge fines and a lifetime ban on ever serving on the board of publicly traded company, and suddenly illegal tracking by large corps is no longer a problem. No other CEO will want to risk being Googled. And only prison time for the ones in charge will do it - directors going to prison won't matter, nor will larger fines.
...and a lifetime ban on ever serving on the board of publicly traded company,
Don't forget a lifetime entry on the Data Offenders Register. Elements of that could be copied from the Sex Offender one and applied to data rapists. Must be freely available to the public, and allow data offenders to be tracked and monitored. So their geolocation, browsing and search history, keyword entry, interests etc etc. Basically anything and every datapoint collected, aggregated or inferred about us is made public for them. For security and privacy reasons, there could be a couple of exemptions, like passwords. Even though keystroke logging means data rapists can grab those anyway as we type them.
I cannot see any C-level exec objecting to this because they already think it's perfectly acceptable for them to horde this data anyway.
You really do need to include the CEO *and* board though, because the CEO can already be a fall guy. It has to be the risk of team failure to encourage team policing. It should also probably be confiscation of more assets than just stocks, as a nice nest egg squared away means it's easier to start over with the next grift.
Well no, Pi-Hole won't work because my old DNS-323 (running Alt-F) doesn't have the necessary resources to run APT.
But I did find AdGuard Home for Arm5 runs magnificently within the 64 MB ram! It subscribes to any/all of the Pi-Hole filters and does daily updates and adds just 115 ms latency to any DNS lookup. Memory utilization holds to about 90%, CPU to about 15%. Swap file only 1 MB.
Works good and I did not have to buy anything or even do much config. I was already serving HDD over Ethernet (NAS) so why not host a freeware DNS filter too?
...the poster from that 1960s B-movie, "Attack of the Giant Spermatozoa".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
