AI-powered browser extension to automatically click away cookie pop-ups now promised A team of researchers at University of Wisconsin-Madison and Google say they have found a way to use artificial intelligence to neutralize manipulative cookie consent pop-ups that have become ubiquitous on the web. The project, revealed this month and dubbed CookieEnforcer, has the goal of automating the clicking through of …
My ancient browser is configured not to allow 3rd party cookies at all & to prompt for 1st party ones, so that stops most 3rd party cookie requests in their tracks;
It's configured to block pop up windows, so that stops the tracking request widget in it's tracks;
It doesn't run JS so that shoots that particular security-raping of my system through the head the moment it tries to raise it to say hello;
and none of this requires AI, ML, or any other buzzword infused bollocks.
So why does it need an AI/ML extension to accomplish on "modern" browsers?
No I don't use Google search. I use DDG for that. No JS required.
I do use Gmail, but JS isn't required there either. Nor for my bank, any of the forums, or news sites I frequent.
If a site claims to need JS, especially if it says it's for *security*, that site gets an email to tell them they're utterly full of shit.
Close the tab, hit DDG, & search for the same content elsewhere.
JavaScript: Just Say No.
So what do you do when it's your government website that requires it (that has no substitute)? Declare your intent to renounce citizenship and move to another country?
While I can't speak to your government, or most governments at all, while my government does have such websites, if I visit the appropriate office in person they will do the paperwork without me having to log in and use their website. It is very inconvienient, but possible. The government wouldn't have a legal leg to stand on in court if I said "I attended an appointment at office X, and they refused to do the work of that department, requiring me to use their website, and now they are taking me to court for not filling out form X online, despite me in-person giving them all the information".
Requring the use of the website, with absolutely no alternatives, would break all sorts of accessability and discrimination laws. This isn't to say that they make it easy to bypass the websites. I needed a new health card, lost mine years ago and needed it for some health services. I went to an office, where in the front area it was full of a couple of banks of computers. The 'greeter' at the door asked what services I was seeking, and pointed me to the computers and said words to the effect of "you can use one of these computers to log in to your government portal account, access the health services page, and log your replacement-card request", I told them no, I do not have and will not create a government portal account. I had to wait about an hour for a staff member to serve me in person, but it was done.
Not sure which country you're in.
The UK benefits calculator is only available online and there's no government help for those who can't/don't/won't use computers - although there are charities that will help.
UK fisherman, by law, have to log their catch on a government website before they land it. If, as you suggest, they landed it and drove it to the ministry of farming, fisheries and food and asked them to do the paperwork then they'd be breaking the law and risk a criminal record.
That's just two I've got personal experience of over here. I'm sure there are others and I'm certain it will get worse.
You don't say whether JS is required for these sites nor, if it is, whether 3rd party JS is required. In general I find that whatever other faults gov.uk sites may have (such as always apparently being in beta!) intrusive JS isn't one of them.
Until these issues are actually tested in court we don't actually know whether they're really legally enforceable or not. What, for instance, would happen if a fishing vessel couldn't get a connection for one reason or another and went to the harbour-master, not DEFRA*, to report the catch? What would happen in the event of a discrimination case brought on behalf of someone who couldn't use the benefits calculator?
*MAFF hasn't been its title for years.
@AC "UK fisherman, by law, have to log their catch on a government website before they land it. If, as you suggest, they landed it and drove it to the ministry of farming, fisheries and food and asked them to do the paperwork then they'd be breaking the law and risk a criminal record."
Not to mention the risk of their vehicle smelling of rotting fish after driving their catch from the port all the way to London.
UK fisherman, by law, have to log their catch on a government website before they land it. If, as you suggest, they landed it and drove it to the ministry of farming, fisheries and food and asked them to do the paperwork then they'd be breaking the law and risk a criminal record.
Fair call. I was thinking more in terms of personal situations rather than business-oriented situations where you already need some sort of license/permit to operate in the first place.
Quote, "The UK benefits calculator is only available online and there's no government help for those who can't/don't/won't use computers"
That is just wrong.When I claimed my state pension, and I have claimed a couple of other benefits since, they all offered me a choice of claiming via the post or doing it all over the telephone. I do it all via post.
You can also do the "benefits calculator thing" over the telephone.
'the ministry of farming, fisheries and food'.
Where have you been for the last 21 years? It's been Department for Environment, Food and Rural Affairs since 2001! But yes, everything that can be automated and outsourced to the 'customer' has been, and they don't even have dedicated offices now, tending to share them with other government departments and agencies. Because of the reduction in units of human resource required after the automation and outsourcing.
Been there, done that, thankfully retired.
Thank you for pointing out that fact before I could return to do it myself. Enjoy a pint in thanks.
To the AC that asked about non-accessible sites, the responce is simple. I call up that department & inform them that the site fails the Americans with Disabilities Act requirements that all government services be equally accessible to the disabled as they are to the able.
Like Eldakka mentioned, they often try to get me to log in via a terminal in their lobby. I sit down, put my fingers on the keyboard, & wait for their computer to begin speaking. What's that, no screen reader? Well, thank you for proving my point. Even better is if it's a touch screen & there's not even a keyboard for me to use. A flat slab of featureless glass with no haptic feedback, oh yes that's _oh_so_ accessible... Not.
I then make them get up off their lazy ass & assist the disabled to do what the site won't allow me to do. Yes it annoys them, but not as much as it annoys ME for having to navigate the artificial obstacle course in my path.
JS isn't needed for, and is actually counter-productive for, accessibility; it's absolutely not in the best interests for security.
It's like they want to use a can on a string to phone HMRC because they perceive it to be more secure and having a hissy fit because the government insists that they use a telephone.
It's so bizarre that these cultists think they have a legitimate grievance. If you're that paranoid then either open your browser in a VM or cut down on the cocaine.
Because others actually are the problem. Just because many people have been conditioned into accepting an abusive situation, or simply don't understand the matter at all, that does not mean everyone should just roll over and blindly accept it. Websites that insist on loading giant piles of unnecessary scripts are a real problem in terms of usability, accessibility, and security. Pointing this out is not "going out of our way to be difficult" it's just, you know, pointing out the problem.
This post has been deleted by its author
@ShadowSystems
I'm 100% with you on this.
I've recently noticed an increasingly common pernicious habit in 'cookie permissions' pop-ups. At first sight, all appears legal - the essential cookies box appears ticked and the non-essential cookies boxes appear unticked. However, when you turn the style sheet off, they all show as ticked. A prime offender is a third party 'cookie permissions' service that serves the pop-up to web sites. A result of auto click through would be to break the law by enforcing consent.
However, as to the 'ancient browser', quite apart from the browser nagging for updates all the time, an increasing number of sites (goooooooogle drive for one) complain that one's browser is 'not supported' now. I supposed we're expected to keep the churn turning regardless of any other considerations (including security, performance and convenience).
Exactly the question I came here to ask. It seems to rely on the provider correctly labeling the 'essential' cookies, and also on the hidden question of 'essential to whom?'
Perhaps a simpler approach might be a browser which simply deletes cookies when the tab containing the page is closed, rather than waiting until the browser is closed? (Yes, I know there are add-ons, but they damn well shouldn't need to be.) Or better yet, sandbox cookies so they are visible only within the tab which sets then and then only until the domain viewed changes?
'essential to whom?'
The European law is explicit on that point. 'Essential' means strictly necessary for delivery of the service to the customer - i.e. the service could not be provided without the cookie for a specific technical reason - e.g. a shopping cart cookie or a site access credential. 'Required for our [or your] convenience' is explicitly excluded from 'essential'.
The big problem is that almost all businesses simply ignore the law, and get away with it because it's not policed other than via complaints (and the abuse is very hard for the customer to find out about in order to complain). The entire failure of the GDPR (and it's a huge failure) is that it's ineffective because it's not enforced except in the most egregious instances of breach. So the cultural position of business (and not just businesses outside the EEA) is that compliance is unnecessary.
...that forcing every web site to put up a dialog which you need to click "accept" before you can use it would have the "unexpected" effect of training users that whenever a web site puts up a dialog the easiest way to get on with your life is to click "accept" without reading it
Congratulations EU wonks, you just made the problem a whole lot worse.
The website designers are the ones who put up the dialog which you need to click 'accept' to use the site.They could design the website without tracking cookies, but they choose to indulge in shitty practices.
The EU wonks are just raising awareness of the shitty practices of the website designers.
If the AI assures them it has disabled all the non-essential cookies then most users will let their guard down so all the website needs to do is find a trick that fools the AI but not a human and loads of people will accept cookies they would manually reject. Then the developers of the AI will be looking for a way around that...
I think Douglas Adams described the phenonomon with regards to his Thumb device, no?
It's illegal to walk out of a pub after a few hours and piss on the street ... so maybe we should just make cookies illegal - it's not that different. Yes, it would change the web environment but stopping people pissing on the street helped make the world a better place.
Doesn't the website's data controller need to have the informed consent of the end user to collect their PII?
It seems to me these shady pop ups put the data controller in breach of GPDR, and liable to the fines that result.
The existence of an AI pop up clicker removes the validity of the assumption that the end user must have given consent via the pop up. I could see a court fining a data controller because they didn't apply a captcha to the pop up, but assumed it must be the user.
Are we seeing the tech companies walking into an EU government trap to 'tax' them by lulling them into a false sense of security, then applying GPDR fines for these transgressions? I hope so, but I doubt it. As Hanlon's razor says: never ascribe to malice that which is adequately explained by incompetence.
The EU should really legislate that accepting only essential cookies must be at least as easy as any other option. But it would be much more fun to back the websites into it by fining them repeatedly, forcing them to add captchas to the pop ups etc. until they get the idea...
"Some of the organizations forced to implement these pop-ups have designed them specifically to be tricky to navigate, or use dark patterns to fool someone into selecting the opposite desired option,"
Right, I see that from time to time and wish it would go away, but;
"A team of researchers at University of Wisconsin-Madison and Google..."
Right there is the problem.
If you have ever had to click through the Youtube cookie dialog you will know what I mean. Who in their right mind has boxes that allow you to switch off cookies showing the palest of pale blue change when you decline a load of data that Google wants to take for itself? And then goes back to the white original colour after you have chosen?
Aesthetics? I don't think so. It's just one example of Google desperately trying to grab anything they can get about your internet habits.
And they then expect us to believe that this project is for our benefit?
Pull the other one, it has got bells on.
"When confronted with cookie popups, which are required by European law and other legislation"
Please! This is not true!
Law only comes into play when a site tries to set up a surveillance environment. I estimate that 95% of my web use can be achieved to my full satisfaction and with full functionality by clicking links and using sites' search facilities, with no need for cookies whatsoever. As for 'essential' cookies, from a user's point of view they are very rarely essential except when buying, selling, commenting, etc.
That the words 'required' and 'essential' are routinely taken at face value and not questioned shows the extent to which surveillance is widely assumed or not well understood.
Google is involved, so I think I'll give this a very wide berth, no thank you. What's the bets that the machine learning takes place on Google servers "to enhance your experience" and that in doing so Google sets up a little shadow profile of all the sites the user visits as part of that learning process and, oh, yes, very definitely doesn't try to tie that data to you in as many ways as it can. If anything, Google are only doing this so that they get the data and at the same time locking out other ad/tracking platforms from doing so (not that I shed any tears for any of them).
There is already an extension available for most browsers, CookieBlock (see https://karelkubicek.github.io/post/cookieblock and https://www.ghacks.net/2022/03/24/cookie-block-corrects-gdpr-violations-in-the-browser/), that uses ML to try and eliminate non-essential cookies.
Rather than simulate clicks it bypasses that stage and just deletes the non-GDPR compliant cookies you don't want.
To make it work you do also have to use something else to auto click through the consent dialogue (e.g. uBlock Origin / Dashboard / Filter lists / Custom / Import ADD : https://www.i-dont-care-about-cookies.eu/abp/).
This extension is also developed by academic researchers but without Google involvement.
Anyone else tried it?
I use Vivaldi, with trackers and adverts blocked by default, and no third party cookies saved. I also have uBlock Origin installed, which handles some more stuff that Vivaldi misses. And the "I don't care about cookies" plugin that removes most popups.
Global (works for all sites not white-listed by me) and fully under my control.
The EU cookie legislation is pointless, extremely annoying, and most probably makes the problem worse by people actively "accepting" dodgy cookies without thought.
.The legislation is not pointless at all. The problem is not with it but with the implementation of 'consent' adopted by most sites.
It would be perfectly possible to make the default 'essential cookies only' (for which no consent is required) and have a simple link to a page containing explanation and reject-by-default selectors for other cookies. Then the user would by default not have to do anything at all to use the site, but could voluntarily choose to follow the link and make choices to accept further cookies if they wanted to.
However, as the publisher's purpose is typically to obtain 'consent' for all cookies by fair means or foul, they make it annoying or impossible to proceed to the content without being forced to make cookie acceptance decisions. A perfect example is Amazon, that superimposes a full screen overlay over the page content that only goes away if you make cookie choices and have javascript enabled. And of course the legislation is not just about cookies as a specific technology but refers to all kinds of tracking entities, and who knows what that javascript is doing?
I've recently noted an increasing prevalence of a very naughty trick whereby with CSS enabled the non-essential cookie choice selectors appear unticked by default, but if you disable CSS they are shown to be ticked. That's not the fault of the legislation - it's the fault of the site publisher and actually contravenes the legislation.
This is an interesting solution and could be a reasonable stop-gap measure, but I think in general I prefer the idea the ICO have proposed in the past and covered by El Reg at: https://www.theregister.com/2021/09/07/ico_cookies_g7/
If you can't be bothered to read that; TLDR: develop and implement standards to set your cookie preferences locally and signal them to the site when you visit it, eliminating the need to interact with manual cookie preference dialogues when you visit a site for the first time or have since deleted its cookies.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
