back to article Thought you'd opted out of online tracking? Think again

Websites often provide visitors with the opportunity to opt out of data collection. This is not out of their abundant concern for your privacy – it's the law and they're forced to do it. But according to a trio of privacy researchers, opting out doesn't always work – visitor data still gets collected. Legal frameworks, like …

  1. Potemkine! Silver badge

    I'm shocked. Who can you trust?

    /s

    1. Alumoi Silver badge

      pihole, uBlock, NoScript, Privacy Badger, Clean URLs and about:config.

      1. David 132 Silver badge
        Thumb Up

        Pihole in particular is invaluable - instant ad blocking for just about every device on the network.

        Although remember to turn off Firefox's $%@#! DNS-over-HTTPS which if you're not paying attention will helpfully bypass your Pi-hole.

        1. Alumoi Silver badge

          I did say about:config, right?

          1. Anonymous Coward
            Anonymous Coward

            For those who don't know where to look in about:config.

            Go to Settings, under General Settings scroll right to the bottom and click the 'Settings...' button under Network Settings', DNS over HTTPS is on the bottom of the panel that pops up.

        2. itzumee

          The only problem with pihole is...

          .. that some sneaky websites rely on the addresses blocked by PiHole to provide functionality, so you end up with a partially or completely blank page when visiting certain websites, HolidayExtras being one (I use it to book airport car-parking) and invariably my wife complained regularly that many web pages (mainly shopping sites) weren't loading or working properly with PiHole filtering all DNS traffic.

          These days, the only devices filtered by PiHole in my home are the TVs, PVR and media streaming devices.

          1. heyrick Silver badge

            Re: The only problem with pihole is...

            I used to have that problem too. But in the end I decided that a vendor requiring me to punch a hole in my defences isn't a vendor I'm inclined to want to trust.

            The thing about the internet is that, usually, there are alternatives.

          2. S O

            Re: The only problem with pihole is...

            Have you ever seen a better reason but to access a site?

          3. Mr. Flibble

            Re: The only problem with pihole is...

            you can whitelist things though....

        3. S O

          Make sure to also enable a DNSSEC provider on the PiHole or your ISP will helpfully negate many of your efforts.

          Firefox attempting to do that much is not a bad thing for lay users.

        4. Halfmad

          My daughter complains about not being able to play adverts in her games when at home because of pihole lol

          Tough..

      2. Piro Silver badge

        well, I use AdGuard Home instead of pihole, it has to be ublock origin, not ublock, and NoScript is in the past for me, I did use the (imo) better umatrix for some time, but now I don't bother.. too much micro management. Throw a dressing of "I still don't care about cookies" on top, and you've got yourself a nice internet experience. (if you use YouTube, don't forget SponsorBlock)

        1. katrinab Silver badge
          Meh

          I switched from PiHole to the adblocking offered by OpnSense. Seems to be a bit faster, just as good at blocking ads, it uses the same filter lists as PiHole, and as I was using it anyway, reduces the number of computers I need on my network.

      3. elsergiovolador Silver badge

        If someone could update the pihole with a sort of an admin option where you could make it substitute the ads with your own content.

        Imagine being able to run a campaign between 5pm to 7pm with "Wash the dishes" message seen everywhere someone at home is browsing the internet.

        1. Arthur the cat Silver badge

          Imagine being able to run a campaign between 5pm to 7pm with "Wash the dishes" message seen everywhere someone at home is browsing the internet.

          Imagine being repeatedly bludgeoned about the head and torso with heavy objects by irate cohabitees.

          1. parlei

            Now I want popup ads for stuff like "cleaning bathroom" and "take out recycling" targeted on the teenager...

            1. Arthur the cat Silver badge

              Now I want popup ads for stuff like "cleaning bathroom" and "take out recycling" targeted on the teenager...

              <teenage-voice>That's so unfair!</teenage-voice>

      4. Anonymous Coward
        Anonymous Coward

        My list consists of ABP, Ghostery, uBlock Origin, https everywhere, Canvas Defender, Privacy Badger, Trocker, Enhancer for YouTube and Multi Account Containers. I'm considering getting the PaloAlto firewall under my desk sorted shortly since this supports decrypting https connections so they can be evaluated against the ruleset before being re-encrypted for onward forwarding, which might solve the Pihole issue vs FF dns over https. Its a lot of armor to put on, but when its cold outside you suit up. I also use a VPN when the need arises.

        Don't use google, except perhaps for maps, use startpage.com

        Don't use gmail. Maybe get your own domain since they're so cheap or there's protonmail and its ilk.

        I have not seen any overt adverts for a very long time. If there's a site that I *need* to see that has issues I'll switch to edge briefly which imho is like walking out into the desert naked.

        I'm sure there's still some very determined spam meisters able to approximate my online movements but they won't garner much.

  2. Anonymous Coward
    Anonymous Coward

    I can't say I'm surprised.

    A related element, which continues to baffle me, is the concept of "Legitimate Interest", which you can find all over websites in these consent management systems.

    Some times allowing you to nicely decline all these with one button, other times requiring you to scroll through and click every single one of the pre-ticked boxes (at this point of course, you just leave the website), of which I can say I've seen at least 50 on one website alone. And then you press the "Accept all" button by mistake, and now good luck navigating to the consent management system hidden somewhere on the page.

    I have no idea what differentiates Legitimate Interest from the general consent-requiring cookies, but surely since it doesn't require active opt-in, surely it can't really be that bad. Surely their legitimate interests run in perfect parallel to my own?

    1. Anonymous Cow-Pilot

      Its difficult because legitimate interest is supposed to cover things like an online retailer providing your name and address to a logistics provider so they can ship a package to you (or just provide a quote), or you consenting to your details being shared with stripe or Shopify for a small retail site. However, as you suggest, an advertiser has a legitimate interest in advertising to you from their own perspective (they aren't pretending that they want to advertise to you, so legitimate is the correct word to describe their interest).

      1. Anonymous Coward
        Anonymous Coward

        They have a legitimate interest in selling you out to anyone with cash.

        And woe betide you if they catch you alone in a dark alley when the kidney transplant market is especially hot.

      2. Anonymous Coward
        Anonymous Coward

        "Its difficult because legitimate interest is supposed to cover things like an online retailer providing your name and address to a logistics provider so they can ship a package to you (or just provide a quote), or you consenting to your details being shared with stripe or Shopify for a small retail site."

        Nope, that would be covered by GDPR Article 6(1)(b) "Performance of a contract", for an online retailer the "contract" would be fulfilling your order which would obviously require passing delivery details to a logistics provider and payment information to the likes of Stripe or Shopify.

        Most of the Article 6(1) lawful bases do not require a "balancing test", Legitimate Interest does - the Data Controller must balance their interests against those of the individual and they must document this decision making via a Legitimate Interests Assessment (LIA, almost sounds like "liar" doesn't it).

    2. Anonymous Coward
      Anonymous Coward

      There are often options like 'combine data sources', 'link devices' and 'use device characteristics' that are normally 'strictly necessary', to create a fingerprint to track you (and your household) across multiple devices

    3. Terry 6 Silver badge

      I should add that my (now no longer internet connected) Samsung TV took this to the extreme. Hidden deep in the settings were consents- set to on of course- for hundreds of of data collectors. So many that they were grouped alphabetically A-C D-F etc. Each one had to be set to "off" individually, sometimes more than one switch for a given site. No "Reject all" switch. But of course there was an "accept all" button nicely placed to be accidentally turned on.

      I should also add that, even in my 60s and generally pretty cynical I am still shocked that there are so many people prepared to do this- to cynically and knowingly choose to circumvent the public's rights with out and out overt trickery etc. People who can then go home and look their wives/husbands/kids/neighbours in the eye, and who can sleep at night. Maybe even some of you out there reading this.

      1. heyrick Silver badge

        If you're in the EU, did you report your TV? Having hundreds of opt-outs but an easy opt-in for everything is a huge GDPR fail.

        The Daily Mail used to be like that, but even they got the hint (mostly).

        1. Terry 6 Silver badge

          I'm in the UK. The data commissioner office said that I had to complain to Samsung first, which I did with the expected total lack of any response. But I just didn't have the strength to battle this one- and said TV is no longer connected to the internet.

          1. Anonymous Coward
            Anonymous Coward

            I have used the small claims court and various consumer laws to force the retailers (as the laws apply to them not the manfr) to refund me in full or part for several bits of internet connected techno-junk.

            I think the UK has broadly similar laws.

            If you can't use the internet features because it is spying - and I would bet the retailer did not disclose any of that, then I would say you have lost 70% of the value of an internet connected TV.

            I got a full refund for a Sony TV that played from you tube, when YT changed the API, and it stopped working. I had a reasonable expectation that the TV would work as advertised by the retailer for 3-4 years.

          2. Anonymous Coward
            Anonymous Coward

            re. But I just didn't have the strength to battle this one

            not to berate you, I'm like you and like practically everybody else - but to state the bleeding obvious - " didn't have the strength to battle this one " was 100% the intended effect of Samsung non-reply. The hoops get progressively higher, until only a handful weirdos remain, and even those, 2-4 years later, come back to the obvious conclusion: why did I spend x years wasting my time to get an automated acknowledgement that they're very sorry, and this feature is no longer implemented in current product line (while, at the same time, they have already implemented another 'feature' in their current line - with exactly the same purpose. Whack a mole always works - at least to the benefit of one party.

            1. Terry 6 Silver badge

              Re: re. But I just didn't have the strength to battle this one

              My excuse is that I'm getting too old for fighting every damned battle that that no one else can be arsed to do. I think the Brexit nonsense (which a lot of other people could be bothered to fight but it still didn't get past the lies) did it for me.

          3. Anonymous Coward
            Anonymous Coward

            The same goes for 'smart' devices in general

            IMHO, the ONLY area that they are smart is in collecting as much information on you as possible. Every little bit of data... Yes, even when you use the toaster can be used to build a profile of you. Once complete, they can sell it to all and sundry.

            I will never connect any appliance (Kitchen, laundry and TV) I buy to the internet. If I buy something and it stops working because of that then it will be returned as 'not fit for purpose'.

          4. Dave559

            Report the story about the non-GDPR-compliant tv to noyb, and chip them a donation. They do have the energy to take these sort of things on. They might not necessarily get involved in this particular case, but it's all good information for the dossier!

            1. Terry 6 Silver badge

              Thanks, they have a Masto link. I'll visit that later.

      2. ChoHag Silver badge

        > People who can then go home and look their wives/husbands/kids/neighbours in the eye, and who can sleep at night. Maybe even some of you out there reading this.

        "There are hardly any excesses of the most crazed psychopath that cannot easily be duplicated by a normal kindly family man who just comes in to work every day and has a job to do." ― Terry Pratchett.

        1. Stork

          Did he get it from Hannah Arendt?

    4. Arthur the cat Silver badge

      I have no idea what differentiates Legitimate Interest from the general consent-requiring cookies, but surely since it doesn't require active opt-in, surely it can't really be that bad. Surely their legitimate interests run in perfect parallel to my own?

      Upvoted for perfect dead pan sarcasm.

    5. S O

      It is, of course, on of the many holes in current regulations, and the reason contracted brokers are having the services now.

      This combination allows for legal indemnity while making excuses for doing the same things as before.

    6. nobody who matters

      Legitimate Interest - you can be absolutely certain that consent boxes for this are anything but legitimate.

      Any legitimate interest is limited to that information that the website operator requires to provide you with the service of the website and the product or service you may order via that website. They are legally entitled to record this information without asking for consent.

      Therefore, the fact that some of these consent boxes include categories labelled 'legitimate interest' immediately tells you that they are <not> legitimate interest at all! Any website that tries this con on me gets terminated immediately.

    7. bogomips

      ... and then we add the chillie jam...

      For fun, check out jamieoliver.com - in the cookie management pop-up, if you click to expand the vendor list... The sheer horror of it. Your site with 50 trackers - almost doesn't count.

      On my phone, in vertical orientation, my scroll bar is about 3 pixels tall. It is near infinite.

      1. Anonymous Coward
        Anonymous Coward

        Re: ... and then we add the chillie jam...

        Ahem.

        https://www.urbandictionary.com/define.php?term=mockney

    8. Andy A
      Facepalm

      It seems that nearly all websites have this "legitimate interests" bit tucked away, with EXACTLY the same headings as the ones we have just declined. How on earth is "Personalised ads" a legitimate use FFS ?

      I've just visited a site to get a sample. The "Evening Standard" (a newspaper in London, England). Their "Legitimate Interest" tab doesn't even have a scrollbar so that you can see the things they are assuming you want to opt in to. They do however have a Cancel button, which takes you back to the place where you have implicitly agreed to all the shenanigans, and a Save button, which tell them that you have EXPLICITLY agreed to all the shenanigans.

  3. Anonymous Coward
    Anonymous Coward

    That's because the prison terms for repeat offenders and global fines aren't high enough for the CEOs yet.

    1. Anonymous Coward
      Anonymous Coward

      Genuinely believe it's too much regulation for SME's to honestly follow even given their best efforts. When you hire a web dev or team thereof who provides a cookies consent form for multiple downstream suppliers yet you don't REALLY know if it's working and it takes in depth research like this to prove one way or the other.

      You have to trust the suppliers.

      Yet no bigger org is suitably punished like Facebook with it's "it's not consent, it's a contract" approach to the problem which was allowed to go WAY too far as a defense. Really should be top down, and supplier based war on drugs style (except actually landed in morality and ethics) - target the suppliers and sanction those outside of legal reach, then work your way back in.

      When people don't get paid for the ads they provide and have assets temporarily frozen for dealing with sanctioned companies, you bet they'll take notice of who they deal with, or stop taking the risk of (unwanted in the first place) ads at all

      1. Richard 12 Silver badge

        Compliance is trivial - don't collect the data. You don't need it, and it's objectively worthless anyway.

        All it would really take is for a couple of maximum fines. Even better, the fines would be a significant proportion of annual tax take, so would knock a decent dent in the debts of whichever government had the spine to do it.

        1. Anonymous Coward
          Anonymous Coward

          Your point is completely true but all I'm saying is that putting a single ad on your site, or signing up to gather some performance metrics from a third party: You can only see what the suppliers want you to see - not what they gather, keep and then pass on. And your cookie consent form only presents to your customers the information you have.

          Absolutely punish them. Just punish the right people is my point. Wilful ignorance isn't an excuse but precedent has already been set that suppliers can be trusted because fines haven't gone out thus far. go after the ad/tacker companies and not those SME's that have been lured in by those companies and just so happen to set the cookie.

          The lack of punishment so far has given the ad shovellers a massive air of legitimacy and I don't really trust a crackdown to target the real offenders, just the soft targets of SME's, not the Googles and Facebooks of the world.

      2. captain veg Silver badge

        No web site requires any cookies.

        If your business model requires cookies, that's a different matter. It's broken.

        -A.

        1. Dave559

          "No web site requires any cookies."

          "No web site requires any cookies."

          Umm, how do you think you logged in to your account, and remained logged in to actually be able to post that comment as you, then? [1]

          A functional cookie retains that sort of browser state between page loads (as http is stateless), and genuine functional cookies are explicitly allowed as they are required to enable that particular functionality that you requested. Not all cookies are evil (although those that you don't need or want can be).

          [1] There are probably other web technologies nowadays, such as local storage, which could do essentially the same, but these would be deemed to be similar to cookies for the relevant laws.

          1. captain veg Silver badge

            Re: "No web site requires any cookies."

            As it happens, I'm OK with session cookies. But that's not the point. No site requires cookies. It is perfectly feasible to embed a session token in the URL or indeed the body of the pages.

            I do a fair bit of web development (albeit mostly not public-facing) and never set any cookies. OK, the stuff I work on is single page applications, so the state doesn't need to survive page loads. I'm not suggesting for a moment that it's necessarily a good idea, but this web site could have that architecture too, technically.

            -A.

    2. Anonymous Coward
      Anonymous Coward

      re. prison terms for repeat offenders and global fines aren't high enough for the CEOs yet

      how many CEOs (or others at similar level) have been put behind bars? A few. Do any CEOs pay 'global fines' from their own pocket, or from their bonuses? Generally they move so quickly from one business to another, that you can't pin the blame on the current one, it was two guys before your honour! But yes, we will settle out of court, yes we do have funds, but let's sit down and negotiate, it's a little too much...

    3. cyberdemon Silver badge
      Mushroom

      Bugger the CEOs

      It's time we started fining the Investors.

      Then business might take note.

      Even if a CEO goes to jail, a big enough company can just get a new CEO. A threat of jail just means they get more danger-money. But if, in extreme cases such as those water utilities flushing raw sewage into rivers, if the investors were fined a small percentage of their shareholding for each breach of the law, then mis-behaving companies would eventually be taken into public ownership. That ought to give the board of directors reason to clean up their companies' acts.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bugger the CEOs

        Surely if the fine is substantial enough and the press negative enough, the investors are 'paying a fine' indirectly by a devalued product.

        Regarding CEOs moving on and getting paid more danger money. If a CEO moves on and is found guilty of past crimes in another company then...whats the problem with prosecuting them regardless of whether they're current or not? For danger money, the answers simple. All previous money, and the things it was spent on are 'proceeds of crime' and so get taken.

        Like I said, the fines, the prison sentences and the impacts aren't high enough yet for CEOs to stop being cunts, and their colleagues in government who permit them to get away with all this aren't any better.

        1. cyberdemon Silver badge
          Devil

          Re: Bugger the CEOs

          Short-term "investors" aka speculators, are quite happy when the value plummets (especially if they can predict it) as they can go short on the stock and make even more of a fortune from scandalous collapses than long-term investors can make from a well-managed company.

          However, if when the government fined a company, it actually confiscated 1% of that company's shares, then even the short-sellers would lose out, because the stock price hasn't gone down, there is just less of it available.

          And then for repeat offenders, such as water companies, the government would end up as a controlling shareholder and could forcibly clean up the company's act.

  4. DaemonProcess

    cookies irrelevant

    Even though cookies were the most accurate way of tying an ID to sites and adverts, what happens now instead is that every click-through and site visit is tagged with your ID and those clicks are themselves sent to analytical aggregators that use probabilities to tie your social media ID. The cookie laws are irrelevant and simply bypassed.

    And yes - the way the opt in/out panes work is a simple logical OR of Allow or Legitimate Interest for you to be tracked.

    Some of these opt-in/out tracking panes refer to a long list of 3rd parties who you have no direct control over whether they track you or not.

    These analytical aggregators have strict NDAs with the social and search giants so they cannot publicise what they do.

    As the researchers found out, the companies are complying with the letter of the law but not the spirit and in some case not even the former, through outsourcing of tracking under NDA and other contractual terms that keep them free from direct accusation of non-compliance.

    1. Piro Silver badge

      Re: cookies irrelevant

      addon: "I still don't care about cookies"

    2. katrinab Silver badge
      Megaphone

      Re: cookies irrelevant

      That is why the law doesn't mention cookies, it mentions tracking technologies.

      And yes, that does mean that if it uses a cookie to store your login details, or the stuff you put in your shopping basket; this isn't covered by the law.

    3. heyrick Silver badge

      Re: cookies irrelevant

      <shrug> It's the responsibility of the website to obtain the appropriate permissions for their visitors. If they choose to outsource to some shady bullshit peddler, that doesn't change anything.

      1. Franco Bronze badge

        Re: cookies irrelevant

        It changes their liability if the bullshit peddler is saying "yes, we do comply with GDPR et al" and actually they don't, and being able to blame someone else if a big fine is in the offing is obviously desireable.

        1. nobody who matters

          Re: cookies irrelevant

          I am not sure whether that is true? It remains the legal responsibility of the webmaster/owner to comply with the law. It is for them to check and ensure that any third party they use for providing consent management does indeed provide the protection that they claim. It would be the website operator that the law would go for in the first instance and I doubt whether a plea of "they said their app was compliant and I took them at their word" would get them off the hook.

          1. heyrick Silver badge

            Re: cookies irrelevant

            "I doubt whether a plea of "they said their app was compliant and I took them at their word" would get them off the hook."

            The CNIL specifically states that "bon volonté" ("but they said...") is an unacceptable excuse. A Data Controller is obliged to audit Data Processors that manage data on their behalf.

            This was written in the context of, say, your employer outsourcing their HR or whatever. However it would be interesting to determine if visiting a website causes personal information to be collected (even if by a third party), since it's the visitation that triggers this, does that make the site owners the Data Controller (and, therefore, the responsible party)?

            I'd Google, but far too much "check your site is compliant" spam for a Friday evening.

          2. OhForF' Silver badge

            Off the hook

            These analytical aggregators have strict NDAs with the social and search giants so they cannot publicise what they do.

            As GDPR says data subjects have to be informed what their data is being used for signing a NDA like that makes it impossible to claim to be GDPR compliant in good faith.

            "But we couldn't tell them what the data is being used for - we were bound by the NDA with $ad_flinger" won't get them off the hook either, you can't overrule laws with NDAs.

        2. Richard 12 Silver badge

          Re: cookies irrelevant

          It doesn't. They're still 100% liable.

          There might be a possibility that they could recover some of the fine by suing their supplier, but they'll almost certainly find something in the small print indemnifies their supplier.

        3. Anonymous Coward
          Anonymous Coward

          Re: cookies irrelevant

          The words you're looking for are 'due diligence'.

          Dear Shady 3rd party bullshit peddler. Prove to me you're not a bullshitter. That might keep the ceo out of trouble.

        4. MOH

          Re: cookies irrelevant

          Nope

    4. cyberdemon Silver badge
      Devil

      Re: cookies irrelevant

      The opt in / out is just another "bit" in the data profile ...

  5. Charlie Clark Silver badge

    Consent management is bollocks

    The law says that opt-out is the default. Therefore, website owners may not collect data, including opt-out preferences without user's consent. "Consent management platforms" break this contract, not surprising considering that they act as aggregators.

    1. FrogsAndChips Silver badge

      Re: Consent management is bollocks

      To be fair, I've seen a positive trend recently, where more CMP will now default to opt-out when you choose to 'Manage my choices'. They will still make it easier for you to 'Accept all', through careful placement and highlighting of the choice buttons, but at least the Reject option is a 1-click process.

      1. Andy A
        FAIL

        Re: Consent management is bollocks

        Only a FEW do this. The vast majority tuck in a corner the "Legitimate interest" button. Looking there WILL show that EVERYTHING you thought you had opted out of is set to "allowed".

        It's a straight logical OR for these sections in the site code, if they take any notice at all.

      2. David Nash

        Re: Consent management is bollocks

        I've seen this too and I wondered if it's because I have opted out of various platforms so many times. But I wouldn't expect them to care about website B if I opted out on website A though.

    2. heyrick Silver badge

      Re: Consent management is bollocks

      Consent Management platforms are bullshit anyway.

      There's one that has the primary uses on the intro panel, with "legitimate interest" as a button on the bottom right. All of which are preticked (with an easy "Object all" button at the top).

      In the course of a browsing session, you'll run into this platform numerous times, and each and every time it's the same bloody story.

      They COULD use a strictly necessary cookie to remember your choice, but they choose not to (though I'm sure if you said yes, they'd not keep asking) because they're hoping to annoy you into agreement.

      A pox on all their houses.

      1. Anonymous Coward
        Anonymous Coward

        Re: Consent management is bollocks

        Websites like that can fuck right off. I wouldn't use them.

    3. Arthur the cat Silver badge

      Re: Consent management is bollocks

      The law says that opt-out is the default.

      The law? There are ~180-200 countries depending on who's counting, federated systems like Germany and the US have major amounts of sub-national level laws and cross jurisdictional enforcement is a Panamax container ship load of worms. Add to that bullshit fictions like "legitimate interest" and dealing with tracking abuse is worse than fighting the Hydra. A mandatory death penalty for first offences might bring it down to tolerable levels.

      1. heyrick Silver badge
        Thumb Up

        Re: Consent management is bollocks

        "A mandatory death penalty for first offences might bring it down to tolerable levels."

        Very much something a cat would think - "if in doubt, kill it".

        I like your style.

        1. Arthur the cat Silver badge

          Re: Consent management is bollocks

          Very much something a cat would think - "if in doubt, kill it".

          You missed out "play with it".

          1. captain veg Silver badge

            Re: Consent management is bollocks

            Oh, how I should like to see that. Start with spammers. Let the trackers watch as the (necessarily) giant cat whacks and pierces the bodies of the scumbags before letting them die in agony, knowing that they're next.

            Sorry, that was a bad dream. In real life I'm vegetarian and pacifist.

            And yet....

            -A.

  6. IGotOut Silver badge

    The non personalised ads .

    .. is complete bollocks as well.

    All mine are set to off, including my phone

    Add a REALLY obscure band of the 90s to my Spotify playlist (Sheep On Drugs if you're wondering).

    Two days later they appear in my FB feed, despite nothing I follow in anyway relates to an obscure no hit wonder band

    So as a test,I added sk8ter boi by Avril Lavigne. Again no way related to Sheep in Drugs or any other band I listen to.....it took a week for her to pop in my Instagram.

    1. DaemonProcess

      Re: The non personalised ads .

      You do realise you are now testing El Reg as well, since you just mentioned the bands here? Sneaky.

      1. Evil Scot Bronze badge

        Re: The non personalised ads .

        I may be interested in these drugged sheep you talk of. You know why we wear kilts...

        So let me add the Red Hot Chilie Pipers to everyone's feed.

        1. This post has been deleted by its author

        2. TimMaher Silver badge
          Coat

          Re: Kilts

          Have you also got some large wellies and a big stick?

    2. Charlie Clark Silver badge

      Re: The non personalised ads .

      You have no sympathy for using services that boast proudly of how they trade personal data.

    3. Anonymous Coward
      Anonymous Coward

      Re: The non personalised ads .

      Completely off topic, but the former singer of Sheep On Drugs tattooed my arm. I'm going to have to give their classic track "Motorbike" a listen now...

      1. that one in the corner Silver badge

        Re: The non personalised ads .

        > the former singer of Sheep On Drugs tattooed my arm

        You read about this sort of thing all the time in the papers.

        There you are, calmly walking down the street, when - blam! You've been tattooed by an ex-indie band singer! Next thing you know, some John Cooper Clark tribute act has corniced your shopping bag in the Rococo style and the police are no help at all "Sorry sir, we don't deal with any architectural styles prior to the 1920s Revivalists". What is the World coming to, that's what I'd like know.

        Sorry, what were talking about?

    4. Esoteric Eric

      Re: The non personalised ads .

      You use FB and instagram?

      lololol

  7. Peter Prof Fox

    How much is my adblocker costing advertisers?

    Can somebody give some idea of how much each advert is being hawked for?

    1. katrinab Silver badge

      Re: How much is my adblocker costing advertisers?

      Fractions of a cent.

  8. Jo Ma Sepoes

    The answer to issues like this is encredibly simple

    Fine the transgressors of laws/regulations with a percentage of their revenue.

    There isn't a company on earth that will not pay attention to that. If you fine based on their profits then they just shuffle money around in their accounting statements. If you give a fixed fine, it's unfair to the small guys and pocket change to the big guys.

    If you fine 1% of their annual revenue these transgressions will disappear overnight.

    Finland has done it for decades with traffic fines. It works incredibly well.

    1. FrogsAndChips Silver badge

      GDPR fines are supposed to be a fraction of revenue (max 4% IIRC, which can be quite significant), not profit. We just need this to be enforced on a big actor, pour encourager les autres.

      1. Johnb89

        If only we had some sort of government regulator

        In the UK we have the ICO, whose job it specifically is to do exactly that. If only they would/did. They don't. Around Europe many ICOs have done small things, but not the big things. Mr Schrems gets much credit.

        But the problem is voters aren't going to like not having access to Facebook, Instagram, Google and the like.

        So we get what we 'want', collectively, whether we few here agree or not.

        1. heyrick Silver badge

          Re: If only we had some sort of government regulator

          "but not the big things"

          France's CNIL keeps going after Google for multiples of €50,000,000, and recently ruled that the use of Google Analytics on French websites was not legal (which meant huge swathes of GA vanished in a hurry).

          Okay, it's not 4% of turnover, but they are rocking the boat.

    2. Anonymous Coward
      Anonymous Coward

      "Finland has done it for decades with traffic fines. It works incredibly well."

      ... at making money. Nothing else. Literally. Very poor example.

      'Traffic violations' have increased from ~100k cases per year to ~300k cases per year, while revenue from fines has increased from 65M euros to 220M euros per year, from 3.5M cars. The *goal* for Police is to get 600k violations per year.

      Someone might wonder why the *goal* is to *increase* traffic violations, but obviously Jo Ma Sepoes doesn't. Anyone else might think it's all about money. Not safety as safety is not even mentioned when goals are discussed. No wonder, safety hasn't changed at all.

      Not a surprise: Highway robbery doesn't increase safety ... and nothing else has been done.

  9. Pascal Monett Silver badge

    "header bidding via prebid.js"

    So all this tracking is done via JavaScript ?

    Well then, once again NoScript to the rescue.

    Why am I not surprised ?

  10. elsergiovolador Silver badge

    Envelopes

    People need to understand that GDPR wasn't created to offer better privacy or to protect user personal data.

    First we had the Cookie Law that trained people into clicking consent boxes without reading.

    Then we had a GDPR where people who are already trained into clicking boxes without reading consent to processing their data.

    Now big corporations have personal data that they can legitimately process and sell and before the GDPR it was a grey area.

    1. Anonymous Coward
      Anonymous Coward

      Re: Envelopes

      First, *we* had Informatique et Libertés, and that was in 1978.

      Also, in case you haven't noticed, the GDPR frowns on accept buttons that are more prominent than refuse. Of course, many still play with that. But Google came into line some time ago, so others will follow.

      1. elsergiovolador Silver badge

        Re: Envelopes

        the GDPR frowns on

        That is meaningless. It's like an officer making a mean face when seeing someone stealing and doing nothing else.

        I think you seem to be a blind believer in the holiness of the EU and their propaganda.

        1. heyrick Silver badge

          Re: Envelopes

          Downvote because while the EU makes the rules, it's up to each country to enforce them. Some countries have organisations that do attempt to provide enforcement (even if it is a slow legal process), while other countries have organisations that are best described as "not fit for purpose".

    2. nobody who matters

      Re: Envelopes

      "..................before the GDPR it was a grey area......................"

      Not in the least bit. Prior to GDPR it was a free-for-all; in effect, "all your data is ours" and nothing whatsoever to stop it.

      1. old_n_grey
        Coat

        Re: Envelopes

        "all your data is ours"

        Methinks you meant: all your data are belong to us

  11. Doctor Syntax Silver badge

    Legislation without sufficient enforcement is useless. Back in the C19th when the Factory Acts and the like were introduced an inspectorate was set up to ensure it was obeyed.

    The same thing is needed now along with a provision that was in DPA 1.0: the power to forbid further data processing until the situation is remedied. Party inspected tries to hide from the inspector via an NDA? Told to take down the site Right Now.

    1. elsergiovolador Silver badge

      The fact that GDPR is only selectively enforced and fines become essentially a cost of running business, proves my comment above.

      1. Anonymous Coward
        Anonymous Coward

        No it doesn't.

        Your "point" was EU-bashing.

        You really need to bash those good old sovereign countries that are part of the EU.

  12. chivo243 Silver badge
    Alert

    still cost effective!

    Until the fines outweigh their profits, bigcorps will continue to reap the profits, and continue business as usual... and profit.

    1. M.V. Lipvig Silver badge

      Re: still cost effective!

      Nope, because they'll raise the price to cover the fines. Prison time for CEOs, on the other hand, would be far more effective. In fact, fining the company wouldn't even be necessary anymore.

      1. that one in the corner Silver badge

        Re: still cost effective!

        > Prison time for CEOs

        They would still find a way around it.

        Like hiring some old lag who who'd been institutionalised years ago to sit as "the CEO": his/her going back into clink would no problem - going into white-collar open prison would be a holiday, a cushy number.

        Meanwhile, "Vice President of Boardroom Seating" carries on running things and smiling all the way to the bank.

  13. Vimes

    A fun one to check out is any *.fandom.com website.

    On a few occasions now I went to the trouble of unchecking all vendors in their consent dialog (an excessively and unreasonably time-consuming process in itself - not to mention dishonest since the selected purpose might be disabled but all vendors listed within the collapsible section for that purpose remain enabled)

    Funny thing is though in some case the options for some vendors get re-enabled after I had explicitly disabled them. I only know this because on one occasion it happened as I was unchecking other entries further down without me choosing to do so.

  14. Groo The Wanderer Silver badge

    There is the law and there is what our lawyers say we can get away with.

    We do tend to go with our lawyer's advice. They are, after all, rather well paid.

  15. M.V. Lipvig Silver badge
    Big Brother

    I've said it before,

    and I'll say it again - tracking won't end until there's a high profile trial ending in jail time. Put the CEO and board of, say, Google in the tanty for about 10 years, general population, normal prison instead of Club Fed, along with confiscation of stock, huge fines and a lifetime ban on ever serving on the board of publicly traded company, and suddenly illegal tracking by large corps is no longer a problem. No other CEO will want to risk being Googled. And only prison time for the ones in charge will do it - directors going to prison won't matter, nor will larger fines.

    1. Jellied Eel Silver badge

      Re: I've said it before,

      ...and a lifetime ban on ever serving on the board of publicly traded company,

      Don't forget a lifetime entry on the Data Offenders Register. Elements of that could be copied from the Sex Offender one and applied to data rapists. Must be freely available to the public, and allow data offenders to be tracked and monitored. So their geolocation, browsing and search history, keyword entry, interests etc etc. Basically anything and every datapoint collected, aggregated or inferred about us is made public for them. For security and privacy reasons, there could be a couple of exemptions, like passwords. Even though keystroke logging means data rapists can grab those anyway as we type them.

      I cannot see any C-level exec objecting to this because they already think it's perfectly acceptable for them to horde this data anyway.

    2. CatWithChainsaw

      Re: I've said it before,

      You really do need to include the CEO *and* board though, because the CEO can already be a fall guy. It has to be the risk of team failure to encourage team policing. It should also probably be confiscation of more assets than just stocks, as a nice nest egg squared away means it's easier to start over with the next grift.

  16. Grunchy Silver badge

    Pi-Hole in Alt-F

    Well no, Pi-Hole won't work because my old DNS-323 (running Alt-F) doesn't have the necessary resources to run APT.

    But I did find AdGuard Home for Arm5 runs magnificently within the 64 MB ram! It subscribes to any/all of the Pi-Hole filters and does daily updates and adds just 115 ms latency to any DNS lookup. Memory utilization holds to about 90%, CPU to about 15%. Swap file only 1 MB.

    Works good and I did not have to buy anything or even do much config. I was already serving HDD over Ethernet (NAS) so why not host a freeware DNS filter too?

  17. anonymous boring coward Silver badge

    "And since header bidding via prebid.js occurs on the client"

    Yeah, about that... I'm just. little bit tired of all the CPU cycle stealing going on.

    The WWW was quite nice the first few years. Only one idiot inventing BLINK, and that was most of the bad stuff at the time.

  18. Kev99 Silver badge

    I wonder is one can neuter prebid.js on one's computer? Renaming it ~prebid.js or something like that?

  19. Anonymous Coward
    Anonymous Coward

    Accompanying thumbnail on the front page...

    ...the poster from that 1960s B-movie, "Attack of the Giant Spermatozoa".

  20. Anonymous Coward
    Anonymous Coward

    I remember...

    the good old days when an advert was a hand picked company and it was a banner that was nothing more than an image insert that took you to their page. No metrics, nothing, just a wee unobtrusive banner.

    I was okay with those.

  21. Esoteric Eric

    Thankfully El Reg doesn't do this...

    Oh, wait....

  22. JulieM Silver badge

    Time to get spiky

    It's time to accept this declaration of war and start taking action to defend our privacy online, by whatever means may be necessary.

    If this means modifying browsers to return falsified cookies, send fake events and not run JavaScript, so be it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like