We’re sure you’ll agree that there are many annoying things on the Web. Which of them we rate as most annoying depends on personal view, but we’re guessing that quite a few of you will join us in naming the ubiquitous cookie pop-up at the top of the list. It’s the pesky EU demanding consent for tracking cookies, we’re told, nothing to do with whoever is demanding you click through screens and screens of slider switches to turn everything off before you can view their website.
Now [Bite Code] is here to remind us that it’s not necessary. Not in America for the somewhat obvious reason that it’s not part of the EU, and perhaps surprisingly, not even in the EU itself.
The EU does have a consent requirement, but the point made in the article is that its requirements are satisfied by the Do Not Track header standard, an HTTP feature that’s been with us since 2009 but which almost nobody implemented so is now deprecated. This allowed a user to reject tracking at the browser level, making all the cookie popups irrelevant. That popups were chosen instead, the article concludes, is due to large websites preferring to make the process annoying enough that users simply click on the consent button to make it go away, making tracking much more likely. We suspect that the plethora of cookie popups also has something to do with FUD among owners of smaller websites, that somehow they don’t comply with the law if they don’t have one.
So as we’d probably all agree, the tracking cookie situation is a mess. This post is being written of Firefox which now silos cookies to only the site which delivered them, but there seems to be little for the average user stuck with either of the big browsers. Perhaps we should all hope for a bit more competition in the future.
Cookies header: Lisa Fotios, CC0.
Mitxela has a great rant about the cookie problem: https://mitxela.com/rants (on the bottom)
Or use a consent form blocker, which feeds websites with a dummy cookie that pretends they’ve already clicked the buttons.
This. There’s a reason Doctorow pushes for “adversarial interoperability.” This is a prime example.
Much like adblockers and open source drivers, extensions that automatically click “no I don’t consent” interoperate with existing infra but subvert it to claw back value for users. Let people deploy their own technical solutions that make technology work for them. Scripts, extensions, whatever.
Definitely a “hack.”
I thought this article was going to be about cookies themselves. How hard is it to just remember your passwords?
Not difficult, but submitting your password with every page view is a pain. Cookies maintain login sessions on most systems.
With the password requirements these days (extra characters, symbols and numbers), I would argue that it can be difficult. Especially if you are trying to keep good practice with having different passwords for each site!
haha yeah before i read the article i was ready to type “the most annoying thing isn’t cookies, it’s javascript!” but those popups are javascript so :)
“consent requirement” VS. “Do Not Track header standard”
Funny thing about that – AFAIK under the relevant EU law(s) the DNT standard should be enough to circumvent most cookie banners. -> Just waiting for someone to sue a company because they ignored **the established industry standard** they used to tell that companies website to not track them.
As in: the EU law doesn’t require a cookie banner – just that the user must have the choice.
I think there’s something in there about a(n) “(established) technical standard”…
Cookies are just the first of all the Idiocracy-inspired stuff that we’re starting to accept.
Would you like to subscribe to our mailing list? We have an excellent support chatbot, go chat with it a bit? Why don’t you log onto our site using your Facebook account? Would you like Google to translate this page into English? Hey, looks like you’re from country X, do you want to be redirected to your local homepage? Oh, there’s a new version of the browser, install it now?
Cookies are how you stay logged in to a site. HTTP is stateless, so when you ask for http//your-email.com/inbox how will it know who you are and that you’re authorized? When you logged in, the site gave your browser a cookie with an cryptographically signed version of your credentials for it to present with every request from then on.
Jenny is talking about the ubiquitous consent prompts for _tracking_ cookies and the alternative that wasn’t adopted.
>”Would you like Google to translate this page into English? Hey, looks like you’re from country X, do you want to be redirected to your local homepage?”
But those two actually make sense (if you end up at a page that is not your native/preferred language). If the page is in a language I don’t know, translating it to a language I do know makes sense.
If I end up on a home page localization that reads right to left but my language reads left to right, then changing to a right to left home page makes sense.
If you’re bilingual (or more) then this might get annoying, but they could just add a list of languages you know into your browser and have it not translate or redirect on those pages.
The part you’re not looking at is that these are 3rd party services that pass your information to people who you might not want, disguising as convenience tools.
Would you like google to translate this site means google gets to know which sites you visit.
Yup. Today is the “embed this funny Facebook thump icon with JAVASCIPRT to your web page” – trend back in the days but in like gazillion times more bad.
It’s difficult to find a website these days that doesn’t have hooks to a gazillion different tracking servers outside of the site proper. All those social media buttons, google analytics, etc. send a ping out there regardless of whether you actually consent to anything the site itself is doing.
@Dude I noticed that even the NOAA sites uses google analytics.
Is that even legal? I mean I know it’s the US and they have the US congress doing the ‘protecting’ but still though.
I’ve only come across one single site that cheacks my browser language to determine my preference.
All the other sites that I have ever visited and that force a language do so by tracking my IP, which is stupid (for one thing VPN exists), but which all the big players prefer to do, and in plenty of cases they don’t even give you an option to change it…
That 1 single site is my bank BTW.
As for the main point about cookies: people complain about ‘constant popups’ but AFAIK the number of people that don’t allow permanent cookies is only a handful. Do browsers now force that on people or what’s going on here with the complaints? I mean if you don’t delete cookes the popup will only been seen once in a blue moon.
Oh and sites generally only do the popups to EU visitors right?
I agree.
The sad part is that they do this because it works.
Given that cookies are being phased out of browsers in the near future, it’s clearly an example of where people moved on from something that doesn’t really make sense anymore.
Someone should check if Hackaday’s cookie banner is in compliance with EU cookie laws because I can’t find any decline button.
Additionally that “Learn more” link seems a bit dodgy to me. It doesn’t even mention Hackaday on the page.
Looks like it redirects to SupplyFrame, which owns Hackaday and a few other tech component related websites such as Tindie and Datasheet Archive. From there you get the usual options of accept, reject or a la carte. Seems legit.
I believe I have rejected all rejectable cookies there on that page but I still get the banner on this site. On the banner I can only click OK, which doesn’t sound like a rejection to me.
The kicker is that HaD’s owner supplyframe is in turn owned by siemens, which is a EU company.
Oh well, easy to fine I guess?
so you don’t like them, but HaD does them anyway?
Going to this exact page I had a pop up saying
“By using our website and services, you expressly agree to the placement of our performance, functionality and advertising cookies. Learn more”
So you have an article talking about how bad what you yourself do. Intersting..
To be fair, the author of the post is not the site or the site’s owner (presumably).
If the site owner does monetize the site by selling cookie derived data (I don’t know if they do), at least they aren’t censoring the posts that speak out against said cookies.
My two favorites are one box to accept all tracking and the 200+ individual switches to reject all (Usually directly above the “accept all” button). And even if the Do Not Track flag in the browser is enabled and miraculously triggers all the vendors to be disabled there is always another tab/leaf where the “Legitimate interest” has an additional 200+ switches to toggle off.
/sarcasm off
It gets so much worse once the “Reject All” option gets merged with site subscription so your only options are now “Accept” or “Subscribe for $/month to reject”. It’s happening.
Cookie consent popups aren’t even on the same planet of annoying as captcha, which are quite often easier for bots to pass than humans anyway.
captcha is for training AI models first, validation second,
cookie popups are designed to turn a handily unsupported DO NOT TRACK tag, into a “accept necessary cookies” minimum default 2 clicks away, or a “stalk me like a bitch” 1 click away, GUI designers make that 1 click really easy to click for the 95% of people don’t give a F**k
…Anyone else hungry for cookies after that thumbnail?
The overlay that blocks the entire page, before you can read the page, while asking your opinion of the page.
But don’t you want to sign up!
Maybe let me read the damned page first and you might get a click-through rather than me just leaving the site.
There’s one major consequence of these cookie consent popups that I’m surprised doesn’t seem to be getting much coverage on the internet.
People have got so used to automatically agreeing to them that they will also agree to very similar looking popups asking for permission for the website to send notifications.
Agree to this on some disreputable websites, and you will receive a bombardment of spam popups. porn, fake antivirus warnings, all the very worst. As they’re not technically adverts, they’re notifications that you agreed to receive, they’re not blocked by ad-blockers, and they’ll appear even when the browser isn’t open. popup blockers won’t block them either, because, again, you agreed to receive them.
I’ve seen this a whole bunch of times now, when people have come to me complaining about popups, and presuming they must have some sort of virus.
Happens with phones too. One lovely old lady I help with her IT problems was being bombarded with some fairly shocking porn popups on her phone. Think she’d been looking for a live stream for a football match, probably not even realising that she was into the realms of pirate streams, and must’ve accepted a bunch of notification permission popups.
Fixed it by going into firefox notification settings and disabling all notifications. I had put firefox on her phone specifically for the ad-blocker add-on, so she couldn’t get scammed by dodgy pop-ups!