[etxm]

> Remember the cookie consent button you clicked at the very beginning? That's right, it was a Clickjacking attempt :)

Brutal. I have gone 100% autopilot to “cookie consent buttons”. I’m curious how many people are. That’s a very clever place to click jack.

[jacquesm]

Anything that users get conditioned to because of repeated appearance has this potential, and has been warned against.

What should really bother you is that rather than putting up these stupid cookiewalls the intended effect of the legislation was to get websites to stop tracking everything and everybody and this was the result.

Self regulation didn't work, then there was a soft push, which resulted in a lot of wriggling to get around the laws intent and now we will see the hard push.

I wonder how many parties will have the guts to try to wiggle out of the hard push, and I'm quietly hoping for one of the larger offenders to be hit so hard they have to shut down, which might send a useful message to the rest.

Analytics is fine but this wholesale profile building is really across the line.

[fixermark]

What really bothers me is the law's original design got hamstrung when governments realized it would subvert their own site analytics, and we ended up with the quite-empty-but-mandatory dialog informing users that a site does a thing that is pretty fundamental web technology (not quite as fundamental as "Transmits data using the HTTP protocol", but pretty close)---instead of scrubbing the whole initiative or replacing it with a Europe-wide education initiative ("The EU presents: browsing and you").

Maybe regulation would work better if there weren't such a disconnect between what lawmakers think people want and the way the technology works.

[jey]

> got hamstrung when governments realized it would subvert their own site analytics

That's a pretty strong claim. Citation needed.

[labster]

nod

I always thought it was a combination of slow legislative process, legislators not understanding tech, and industry pushback. I somehow doubt underfunded government IT departments had that much pull.

[oliv__]

Those cookie disclaimers are one of the most retarded things on the web.

[craftyguy]

IIRC the EU mandated that behavior.

Edit: More info: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

[fivre]

Cookie disclaimers at this point need to be taken to their logical conclusion: browser vendors and site operators should add a standard Yes-I-Know-What-Cookies-Are header to the next HTTP update, which can then be vomited at sites by default browser configuration to let them know it's okay to auto-hide the banner.

Hell, let's repurpose Do Not Track for it; it's not like it's being used for anything meaningful otherwise.

[stochastic_monk]

Does anyone honor Do Not Track requests?

[criley2]

I feel like honoring Do Not Tracks is like honoring deadbolts on wooden doors. Most people honor it, but you're not using it to keep those people out...

[jake_the_third]

I expect that the reason why most people honor the first is the high likelihood of getting caught or seen. This deterrent does not exist for web tracking.

I think it's more likely that most tracking companies ignore do not track.

[klapinat0r]

Medium comes to mind (for embedded) https://medium.com/policy/how-we-handle-do-not-track-request...

[wgx]

We do (at https://prodlytic.com) - if a client sends do not track, we treat every session as a new user. ie: We don't track that user across sessions.

[Frizi]

The DNT header reminds me of evil bit RFC [0]. It was funny back then, but times change I guess.

[0] https://www.ietf.org/rfc/rfc3514.txt

[colejohnson66]

Adafruit does. They put their YouTube videos behind a click if you send a “Do Not Track” header.

[LinuxBender]

Is anyone required to honor DNT requests? What happens if they don't?

[fenwick67]

It's totally voluntary.

[LinuxBender]

That was my understanding as well. I was not sure if perhaps recent legislation in the E.U. may have added any verbiage around that.

[Sylos]

The GDPR rather makes it obsolete, actually. DNT was meant as a general purpose opt-out, whereas the GDPR requires an explicit opt-in for most things.

And well, DNT could have had legal bearing, since most legislations in the world require you to stop tracking when the user tells you not to.

So, if the user goes and sets up this general purpose opt-out, you'd have to have some sort of argument why you're different than what the user had in mind when they turned DNT on.

Could have had that legal bearing. Microsoft as well as Google and Facebook killed it off pretty well.

Microsoft by turning it on by default in Internet Explorer. Meaning that there were now lots of instances where the user had not explicitely gone into the settings to turn it on (nor did they perform some other action that serves as reasonable sign that this is what they'd want, like going into InPrivate Browsing, or specifically installing a privacy-focused browser / operating system.)

Google and Facebook killed it off by saying right away that they would not respect it. With how many webpages bundle a Facebook Like button or Google: Analytics, ads, GStatic, ajax.googleapis.com, JQuery, fonts, ReCaptcha, Maps, YouTube etc.

As such, there were very few webpages left that could have chosen to respect it and no judge would have just ruled that everyone has to respect it. It would have killed the internet for a few months.

[ojosilva]

Same here. And it's so annoying that I'm scared of resetting my Android phone just so that I don't have to hit cookie consent everywhere...

Anyway, now with GDPR consent buttons on their way (at least in Europe), there's a fresh new opportunity for black hats to click jack their whole population of visitors all over again.

[etatoby]

Install the "I don't care about cookies" extension; problem solved.

(Firefox for Android supports extensions, I don't know if there are any Webkit-based browsers that do.)

[nasredin]

"Annoyances" type adblock lists work too.

[outside2344]

The irony of a user having their privacy violated by a pop-up meant to protect their privacy is infuriating.

[craftyguy]

I just immediately hit those 'cookie consent buttons/boxes' with a uBlock Origin 'block element'. Gets rid of them permanently, and doesn't require submitting/clicking anything.

[odammit]

Knowing that most of the sites use that box to let you acknowledge they are tracking.

I wonder how that applies legally if they happen to collect data on you and you haven’t given consent.

[djsumdog]

Am I missing something? I don't see anything in the Network panel of my debugging console when I click the cookie consent button.

[ocdtrekkie]

Google banned him from using their API (instead of fixing the issue). It worked when he posted it, it doesn't work now.

[a_imho]

Why would you ever click one of those buttons?

[nikanj]

They hover up and cover half of the screen on mobile

[jowsie]

Not clicking it doesn't stop them from using cookies/tracking you. The box is simply to inform you that they ARE doing it, whether you like it or not.

[a_imho]

How is that consent?

[vntok]

Once you are informed you can leave the site if you want to.

[a_imho]

Except for cookies are already transmitted to the client device in far too many cases before the disclaimer is displayed. Also I'm not sure blanket agreeing to all (tracking)cookies will be in accordance with GDPR.

[MereInterest]

The implication is that, now that you know that cookies are used for tracking, remaining on the site is implied consent. Like the omnipresent "this call may be recorded" statement at call centers.

It is an instance of a much broader issue, where contracts are no longer the result of any negotiation, but are a take it or leave it option.

[a_imho]

I understand going after each and every website would be impractical, but imo a disclaimer with a button - most probably after the fact the site already transmitted a handful of cookies - does not comply with the spirit of the regulation.

[1] https://www.cookielaw.org/the-cookie-law/

[etatoby]

Most people have at least a passing desire for cleanliness and order (the stuff that becomes OCD when out of balance) which compels them to get rid of the banner.

[loco5niner]

Because that's how you make them go away.