back to article British data watchdog brings cookies to G7 meeting – pop-up consent requests, not the delicious baked treats

Cookies are on the menu today for the G7 as the UK's Information Commissioner's Office (ICO) proposes to the group of leading global economies that consent pop-ups should be reduced. The ICO said it would call on fellow G7 data protection and privacy authorities – three of which used to be its fellow EU member states – to work …

  1. Anonymous Coward
    Anonymous Coward

    Just ban third party tracking.

    1. Mike 137 Silver badge

      Just ban third party tracking

      Unfortunately, first party tracking can be just as intrusive. All a first party needs to do is share the data with third parties having gathered it via first party cookies.

      1. Yet Another Anonymous coward Silver badge

        Re: Just ban third party tracking

        So the first party can sell the data to anyone they met at a party

    2. ShadowSystems

      Just ban tracking. Full stop.

      There, fixed that for you. =-j

    3. Anonymous Coward
      Anonymous Coward

      "Just ban third party tracking."

      Exactly!

      And cookies are just the tip of the iceberg...

      I'm seeing more and more websites using fingerprinting scripts such as "fingerprint.js" which can detect not only the type of browser the person is using but also the exact make and model of the device.

      These fingerprinting scripts are also a favorite of malvertisers and APT's to be able to launch targeted exploits.

      https://github.com/fingerprintjs/fingerprintjs/tree/master/src/sources

      1. Anonymous Coward
        Anonymous Coward

        :o

        What? A script that can read the user agent string sent on all web requests. Whatever next?!

      2. Anonymous Coward
        Anonymous Coward

        Cloudflare fingerprinting

        You don't even need access to the TLS connection to fingerprint, I tested Cloudflare and found they included stuff like the CipherSuite when making the connection to determine device and browser.

        The Cipher suite is the list of supported encyption algos for the client device when making a TLS connection, you wouldn't need the content to fingerprint the source:

        It looks like "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"...,

        It varies depending on the browser and version and device support of which suites making it very useful for fingerprinting, without needing the TLS content.

        Cloudflare, having a fingerprinter, a Content Delivery Network, a Certificate issuer, a Certificate Transparency Log, and a DNS service, AND a service that delivers mock pages ('browser landing pages') very very quickly for any site anywhere, means you cannot trust *any* TLS connection at all anywhere.

        So Techdirt for example, has a Cloudflare front end where I am, and so I never read or comment on Techdirt. In other countries it does not, dependant on the country. I have no way of verifying any of that and the TLS is inherently untrustable for that site.

        Speech *is* dangerous to some people. True speech is worse. And it does have consquences. So be careful what you say, *particularly here*, *particularly in the UK* and in countries where surveillance is both'competently run, and out of control.

      3. Paul Hovnanian Silver badge

        "fingerprint.js"

        lynx doesn't run Javasvript.

    4. veti Silver badge

      How?

      I mean, what specific law or regulation would you draft that could do that?

  2. Dan 55 Silver badge
    Black Helicopters

    Tame data commissioner enacts performative cookie banner removal request to wow domestic audience

    ... while Whitehall gets on with chipping away at the real data protection (UK-GDPR).

    It would be more convenient for the UK ruling junta if the banners go before UK-GDPR does, because otherwise people might think something is amiss if the UK-GDPR underpinnings disappear and banners for sites hosted in the UK change to "All your data are belong to us and anyone we sell it to [ACCEPT]".

    1. Woodnag

      It's now the Data Protection Act 2018

      UK's Data Protection Act 2018 is binding domestically now, not GDPR, since the end of last year.

      However, to process EU data, UK has to follow GDPR as does the US.

      Of course UK will break GDPR, while loudly saying it isn't, similar to Ireland protecting FB. But at some point the EU will say 'enough' and data flow to UK from the countries subject to EU law will be illegal under GDPR.

      See https://noyb.eu/en if interested in the Schrems litigation.

  3. Empire of the Pussycat

    If this quote is accurate...

    "No thanks, EU! Hated rules SCRAPPED as UK to end 'pointless' web cookies in Brexit bonfire," crowed the headline in the pro-Brexit Daily Express.

    ...they think it's the EU imposing the cookies, and yet brexiters get annoyed when people call them stupid.

    1. Wellyboot Silver badge

      >>If this quote is accurate...<<

      It's likely as accurate as any other wildly biased tabloid press output, they're just looking for attention and trying to wind up grauniad readers with foaming at the mouth headlines.

    2. veti Silver badge

      They don't know nor care what cookies are. To them, the problem is the stupid banner that gets in the way on websites until you click something to make it go away.

      The banner isn't telling them anything they care about, so it's just an obstruction. They know it's something to do with cookies, whatever they are. But if the banner disappears, as far as they're concerned, problem solved.

      That's not completely irrational. It's ignorant of course, but we're all ignorant of things we don't care about.

  4. Mike 137 Silver badge

    Realism please

    "[a] future, where web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing, rather than having to do that through pop-ups every time they visit a website"

    Given the criteria for exemption from cookie consent it's hard to see how automation could be made to work at all. They have nothing to do with readily testable attributes such as origin or persistence, for example, but are based on necessity for provision of the service:

    the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network;

    or

    the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent. [ICO Guide to PECR].

    I for one can't see how the distinction between such cookies and all others could possibly be made by a web browser or client side app as it can have no insight into the provider's service architecture or corporate purposes.

    Consequently the almost certain outcome of any proposals will tend towards weakening the control folks have over cookie based data slurping. Indeed the Ministerial foreword to the currently open DCMS consultation on Digital Regulation states "we will take an unashamedly pro-tech approach". Which of course in reality means "pro tech-corporate approach", so goodbye privacy for those of us who care.

    1. katrinab Silver badge
      Megaphone

      Re: Realism please

      The law doesn't mention "cookies". It mentions tracking technologies.

      Cookes to record the contents of your shopping basket or your login credentials are fine. You don't even need to ask for consent for them.

      1. Doctor Syntax Silver badge

        Re: Realism please

        And popups for anything else should be a warning to go elsewhere. What's needed is a public educated to realise that these aren't something mandated by the EU to trip them up, they're an indication that the website isn't to be trusted.

    2. Loyal Commenter Silver badge

      Re: Realism please

      I for one can't see how the distinction between such cookies and all others could possibly be made by a web browser or client side app as it can have no insight into the provider's service architecture or corporate purposes.

      This is not the point. It's not for the browser to work out whether a cookie is required, it is a legal requirement (under GDPR) that a web site not track users without their consent. Of course, this is a paper tiger if the web site operator is outside the reach of the EU* (although breaching parties could find themselves in trouble if visiting the EU, or if they have business interests there). However, it does mean that trying to track users in this way, without their consent, within the purview of the member states can be a very costly mistake.

      *and UK, kind of, as long as we want to keep our data-equivalency with the EU, which our current government seems keen on throwing away.

  5. Yet Another Anonymous coward Silver badge

    It doesn't have to, the browser just sends a 'no ad cookies' request to the site and it's up to the site to obey. The browser doesn't enforce the site behavior anymore than the popup banner does.

    What the ad men are afraid of is no one is going to click yes to a simple 'do you want spam' option when they install the browser, even if they would click 'accept all cookies' rather than navigate a 10page preference page at a every site

    1. Irongut

      Maybe we could call it a DO NOT TRACK header? You know like the one all websites ignore anyway.

      Been there, tried that, it did not work.

      1. matjaggard

        Legally enforcing it to be recognised wouldn't be hard though and would likely work for all the orgs that are using the cookie banners now.

    2. Anonymous Coward
      Anonymous Coward

      "It doesn't have to, the browser just sends a 'no ad cookies' request to the site and it's up to the site to obey."

      Nope, you're looking at it the wrong way round. The browser doesn't need to have to send a thing at all - as per PECR & GDPR, cookies (or other tracking "things") can *only* be used with consent, unless they are strictly necessary for the functioning of the website (which doesn't include analytics for instance).

      So a "please-track-me-any-which-way" HTTP could well be defined as a "cookie banner" alternative and used when people want to signal that they consent to being tracked but the default lawfully compliant scenario when no such header is sent (or sent with a value "No") is for *no* tracking to occur.

      In the same way, all these "by continuing to browse our website you agree to our Privacy Notice and Cookie Policy" banners are not legally valid. Likewise for any sites putting Google Analytic links in the HTML NoScript tag on their webpages to track people who have Javascript disabled.

      1. veti Silver badge

        It's really not hard to design a website such that tracking *is* strictly necessary for it to work at all.

  6. alain williams Silver badge

    Definition of a cookie

    Many people know about cookies but are unaware of other means of tracking a browser or user. So, for the purpose of this review, a cookie should be defined to include: local storage, browser fingerprinting, etc.

    Different sorts of cookies need to be understood: cookies from the site that you visit are very different from 3rd party ones. Session cookies (short term ones that tie together pages visited over 1/2 hour or so) are different from ones that survive over weeks & months.

    Opting out should be no harder than opting in. Some web-sites or apps have opt-in with one click, to opt-out you need to click every type of opt-out.

    The review should be about (mobile 'phone) apps as well as what happens via a web browser.

    Web sites should list every cookie that it (any any 3rd party) sets and say what it is used for.

    You should be able to opt out of every sort of cookie - with the exception of session cookies.

    1. Adrian 4

      Re: Definition of a cookie

      Hasn't someone - apple, maybe ? - made their browser partition data by website so that the only cookies available were set in that site's private universe ?

      1. Martin J Hooper

        Re: Definition of a cookie

        Firefox has I know in the latest versions or something similar. Not sure about Apple as I don't follow them not having any of their gear.

      2. friendly hobbit

        Re: Definition of a cookie

        Isn't that how cookies work anyway? Cookies are set against a single domain. So website operators who use third party tracking tools on their site are setting cookies against the third party domain. So partitioning by website doesn't really make a difference. But turning off third party cookies would.

  7. Fazal Majid

    What's needed is something like a legally binding form of the Do-Not-Track flag, but considering the vast majority of cookie "consent" pop-ups violate GDPR by not making "Reject All" as prominent and easy as "Accept All", seemingly with no consequences this far, I don't have high hopes.

    1. veti Silver badge

      Legally binding on whom, exactly? Host? Owner? Publisher?

      (Note that saying "all" is functionally equivalent to "none".)

  8. katrinab Silver badge
    Megaphone

    We already have the ability for "web browsers, software applications and device settings allow people to set lasting privacy preferences of their choosing"

    It is called the "Do not track" header.

  9. Irongut

    > People automatically select "I agree" when presented with cookies pop-ups on the internet, she argued, so they don't have meaningful control over personal data.

    "People" may do that but I don't. I click REJECT ALL and if that option doesn't exist I close the window.

    But then I also do wierd things like read what is written on the screen rather than blindly pressing buttons like a toddler on a sugar rush.

    1. thosrtanner

      I click reject all as well. What pees me off is people like ziff davis who re-ask the question REPEATEDLY on the same page. and again when you restart the browser. I'd think a cookie saying 'I do not want all this tracking' would be within the letter and spirit of the law, rather than just the letter as currently.

      1. Steve K

        "Legitimate Interest"

        While they are at it, they could stop the pre-ticking of so-called "Legitimate Interest" settings too as it seems to be a way to ignore the whole "choice" thing anyway!

      2. LybsterRoy Silver badge

        <<I'd think a cookie saying 'I do not want all this tracking' would be within the letter and spirit of the law, rather than just the letter as currently.>>

        That requires leaving the cookies on your computer. My browser is set to delete cookies when closing. It does, I've checked, and I don't leave the browser open from starting my PC to going to bed.

        1. thosrtanner

          yeah, but this is when i reload the page

    2. LybsterRoy Silver badge

      I (mostly) don't click on accept all - I have "I Don't Care About Cookies" to do it for me.

  10. Howard Sway Silver badge

    Iain Duncan Smith claimed it led to people being bombarded with complex consent requests

    I can see how Iain Duncan Smith might well find it rather hard to solve a "complex" problem like deciding which of the two buttons to press.

    "I Agree...I Don't Agree....... it's just so confusing isn't it?"

    Also doesn't realise that it makes him sound like Alan Partridge when he found an "additional costs" item on his hotel bill and then claimed he got confused when his tv asked him to confirm whether he wanted to watch the adult pay tv channel or not.

    1. matjaggard

      Re: Iain Duncan Smith claimed it led to people being bombarded with complex consent requests

      It is very rare to see just two sensible buttons like that

    2. veti Silver badge

      Re: Iain Duncan Smith claimed it led to people being bombarded with complex consent requests

      It's not the buttons. It's the 400 word,grey-on-grey essay that "explains" what you're being asked to agree *to*.

  11. Teejay

    It's simply back to data collection, or not?

    Maybe I'm getting this wrong, but to me it simply seems as if the UK is returning to data collection without consent - and trying to spin this like it makes things better because you won't have a pop-up to click away.

    1. LybsterRoy Silver badge

      Re: It's simply back to data collection, or not?

      Alternative view - they're just trying to make normal people (you know the majority of PC, tablet & smartphone users) life that little bit less annoying.

      1. Loyal Commenter Silver badge

        Re: It's simply back to data collection, or not?

        In that case, surely the simplest thing would be to legislate to get rid of the pop-ups entirely, and assume "do not consent". If you think our government would do that, I've got a bridge you might like to buy.

  12. codejunky Silver badge

    Ha

    "But after a bad run in Afghanistan, and facing down COVID-19 and post-Brexit supply chain disruption, Boris Johnson's government could do with a distraction."

    Thought you were talking about the EU gov until I got to the end of that sentence. Since most banners are deemed illegal anyway we should probably just tell people to do away with them. And surely nobody will mind if the rules are not enforced already anyway.

  13. Loyal Commenter Silver badge

    There's an easy way for web sites to avoid having to have those "un-user friendly" banners

    ...and that is to not try to do things that require a user's explicit consent, such as spewing their adverjism* in the user's face, or tracking and profiling the user in an attempt to monetise the user's visit to their site. Note that it there's nothing to stop a site from showing adverts that don't require tracking of the user.

    *You're welcome.

  14. Missing Semicolon Silver badge
    Windows

    Lobby blitz

    Odd how all the papers are reporting this as a "good" thing. "getting rid of the hated cookie prompt".

    What's really weird is seeing Mr A Orlowski (late of this parish) spouting the same nonsense in the Telegraph.

    It really starts you wanting to reach for the tinfoil hat, when suddenly the machinery of Government, and almost all print journalists, start banging on about "Modernising" data protection, with the first proposal being to reduce it. You do start wondering why the press is supporting the Government on this anti-people measure - are they really working in cahoots? Is what the nutters say about conspiracies true?

    1. codejunky Silver badge

      Re: Lobby blitz

      @Missing Semicolon

      "start banging on about "Modernising" data protection, with the first proposal being to reduce it."

      Can modernising not involve reducing something? I dont know if this will be a good or bad thing but one of the reasons to ditch the EU is to reduce the burden of forever more rules.

  15. hayzoos

    Toss those cookies

    The whole cookie deal is too complex for the average punter. Session cookies, first party cookies, third party cookies (what about second party cookies), cookie expiration, tracking cookies, why not call them biscuits, fortune cookies; the head spins.

    Even here they are not fully understood. First party cookies are not only session cookies. How does a site "keep me logged in" or "remember me" or in some poor implementation instances "remember my preferences"? Answer: first party cookies which are not session cookies. Did you know a session cookie can also be a third party cookie? See, not clear cut. I am sure I do not know all the flavors of cookies or biscuits.

    Part of my anti-tracking routine is starting all browser sessions with a clean slate, no site related data retained by the browser. I also attempt to block other tracking methods but it is not easy. Nor do I think I am being complete and successful. I only hope to not be the low hanging fruit.

    My wish for the decision (even though I am extra-jurisdictional) is that it not make my approach harder or ineffective. Being a USAian I do not expect to benefit from the EU or UK attempts to curb the private data slurp. On the other hand, I should also not suffer from poor implementations like cookie consent banners.

    That is all.

  16. Anonymous Coward
    Anonymous Coward

    I don't see the big problem, not as they see it.

    Once you've said yes once, you don't generally get asked again by that particular site.

    I'm definitely not interested in a browser based cookie setting that applies to places I've never visited yet.

    Case by case basis is fine.

    Cookies for site functionality are excepted anyway and at least with the pop up you can choose from the options available.

    1. Paul Hovnanian Silver badge

      "Once you've said yes once, you don't generally get asked again by that particular site."

      But if you say No, you have to say No every time. Because the only way for a site to remember your preference would be to ...

      ... set a cookie.

  17. headrush

    How about setting the cookie folder to read only?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like