Ask HN: Shouldn't web browsers ask us before storing cookies?

[jakemor]

Every time we visit a GDPR compliant site, we are greeted with the all too familiar (yet far from homogeneous) popup asking us to either accept or deny the site's privacy policy and cookie behavior.

I'd like to point out how this law is hurting the web.

When the onus is on the developer to ask a user for permission, the user is forced to trust the developer. For example when a website asks me if they can store cookies in my browser, and I say no, there is no easy way of me knowing if that site is actually listening to me.

Wouldn't it be cleaner if the burden was on the browser to ask us for permission?

In iOS for example, the operating system asks you if you'd like to grant an app access to your camera... not the app itself! Imagine we had to blindly trust an app to not use our camera, without any help from Apple. Mayhem!

Instead, the EU mandates that developers ask permission. Developers place a stupid looking div filled with legal jargon on their homepage. We roll our eyes and click accept. Good actors (who respected our privacy in the first place) continue to respect our privacy. Bad actors continue to ignore it.

[fitzroy]

Instead of asking for each site, just allow first-party cookies and delete them by default when the last tab of that domain is closed. The user should be able to favorite cookies to keep indefinitely, with the rest being cleared on a user-defined schedule (onTabClose, 1 hour, 24 hours, 1 week, etc). There was a free Safari extension called Safari Cookies that handled the favoriting but it stopped working several years ago. https://sweetpproductions.com/safaricookies/index.htm

I'm surprised this isn't a standard feature built into browsers. Seems like it would be obvious to have a level of granularity between accept all first-party cookies and accept none.

Edit: to clarify, I don't think setting cookies is the issue (and not worth the UX hassle to ask everytime); the issue is storing the cookies for longer than the interaction persists. To me, it's analogous to someone remembering who you are during a conversation vs adding you to their rolodex and storing that info indefinitely.

[SyneRyder]

Microsoft Edge Beta has this. In Settings -> Site Permissions, you can disable "Allow sites to save cookies", but then add individual websites to the Allow list. There is also a Clear On Exit list you can add sites to.

I'm pretty sure Firefox & Chrome have similar functionality.

[fitzroy]

Thanks, just found it here in Chrome: chrome://settings/content/cookies

I've mostly switched back to Safari ...so I look forward to getting this option in a decade or so.

In all seriousness, this would naturally fit into the new Safari "Websites" permissions in Settings. Right now cookies, databases, HSTS policy, and local storage are still in the old "Manage Website Data..." window, which would seem redundant now.

[yunruse]

I like this idea, but many users would find it equally annoying to have to manage this. A machine-learning software which tracks usage would be more welcomed, backed up by favourite status / use of password managers to make a good heuristic.

Just so long as the ML algorithm is open source and entirely personal – having a company decide which cookie is good would be easily abusable.

[proofofconcept]

As I remember it, this was an option you could enable in Netscape Navigator back in the dialup days. In practice it meant that every time you went to a new website you'd have to click ok on a dozen popup menus asking for permission to store each individual cookie before the page would load. I'm sure there are ways to make that process go a little more smoothly but in practice it's still probably something that most users would immediately turn right off.

[weinzierl]

If I remember correctly the UI for this existed long after Netscape Navigator. According to [1] it was removed in Firefox 44 in early 2016. I had expected that they only removed the UI but left the functionality available via about:config but that doesn't seem to be the case.

EDIT: According to [2] and [3] it seems the behavior was triggered by about:config network.cookie.lifetimePolicy set to 1 (ASK_BEFORE_ACCEPT), but the meaning of 1 apparently has changed over the years. At least setting it to 1 doesn't trigger any cookie dialogs in my Firefox 70.0.1 (64-bit).

[1] https://www.ghacks.net/2016/02/05/firefox-44ask-me-everytime...

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=233339

[3] http://kb.mozillazine.org/Network.cookie.lifetimePolicy

[cheez]

Oh my god, you just triggered some horrifying memories of that popup.

No, you definitely don't want the web browser to ask.

[kbrosnan]

In the dial-up days I remember turning on ask to set cookies. It was fairly common to need to deny 10-20 cookie requests even back then. Now there are extensions to manage website trackers that deal with more than just cookies. Extensions are a ton better than having the user agree to each cookie that is sent.

[cheez]

Yep.

[jwagenet]

You don’t want the browser to ask because the large number of cookies is so normal.

[cheez]

It was brutal even back then.

[hos234]

It used to be an option in Firefox. You have to go dig around bugzilla to find the reasons they removed it -

https://bugzilla.mozilla.org/show_bug.cgi?id=1249151

https://bugzilla.mozilla.org/show_bug.cgi?id=606655

[userbinator]

...and this:

https://bugzilla.mozilla.org/show_bug.cgi?id=570366#c1

"This option isn't supported, last I checked"

What a reason. They decided to remove it because it "isn't supported"? So much for "open source" being better at "do what users want"... if you personally don't need that option, fine, don't use it. But don't go taking away things that a lot of others want.

I get extremely angry whenever I see discussions like that. You can read and even participate in them, but your opinion is ultimately useless because you're not part of some privileged group who makes all the decisions about what to do with Firefox. It's no better than proprietary software where your bug reports are similarly ignored, besides being possibly a little bit easier to patch.

[detaro]

I feel like this is an unfair representation of that comment.

If the actual backend doesn't support that option, it's indeed a problem that the UI offers it, especially if it's causing a bug. The question if it should be supported is unrelated to that, and not really a topic for that unrelated issue. I've certainly had my own bad experiences with Firefox issues, but that's not a good example.

[snagglegaggle]

Look at https://bugzilla.mozilla.org/show_bug.cgi?id=1355407, where Mozilla is defending using the page visibility API to stop video playback for backgrounded tabs.

A user brings up the amusing parallel that Mozilla shouldn't block popups for the same reason they don't want to block the page visibility API.

[wronex]

Firefox Focus for Android is great. It never stores anything. Which I think is a useful default when looking at shared links, doing quick searches, reading news etc.

[tempestn]

From my perspective, a lot of the problem is that there are very legitimate uses for cookies and other types of local storage, outside of advertising and other sorts of tracking. IE remembering user preferences, knowing what messages they've seen, that kind of thing. It would be a huge hindrance to not be able to persist any kind of state between visits. The real issue in most cases are third party cookies from ads and other trackers, but in almost everyone's understanding these are all lumped together into the single category of 'cookies'.

Of course, it's not quite as simple as "first party cookies fine, third party bad", since when you're on a domain like google.com for example, a whole lot of tracking goes on with first party cookies. But still, that can be dealt with. If I were coming up with a regulation (be it enforced at the browser or site level) it would make a distinction between first party cookies on domains serving up to X users per month, first party cookies on domains serving over X users per month, and third party cookies on all domains. The first of those categories could, I think, be unregulated. Save messages and/or restrictions for the other two and I think it would go a lot further toward achieving the goals of these sorts of initiatives, while being much less of a useless annoyance.

Firefox is going in this direction somewhat with their default blocking of third party cookies, but there's nothing they can really do unilaterally to treat first party cookies on google.com differently from bobsblog.com.

[neilobremski]

I agree that "this law is hurting the web" but I don't see how shifting that from the website to the application is going to solve the root issue. Prompts like these are annoying speed bumps that I have a hard time believing are in anyway effective -- paranoid people already deeply evaluate the software and services they use whereas the casual user is likely to just to "yah yah, get this out of my face" click it.

[jakemor]

If you tell the website “no don’t track me” it can’t even remember not to track you (because doing so would be tracking you!) so they have to ask every time.

If you tell the browser no, it would just block the site from storing any info in the browser. It would ask you once only the first time you visit a site, and you can change it whenever in the toolbar. Problem solved, no?

[TheCoelacanth]

> If you tell the website “no don’t track me” it can’t even remember not to track you (because doing so would be tracking you!) so they have to ask every time.

That is absolutely not true.

[morpheuskafka]

How about, if you install software such as a web browser on your computer that has a certain functionality intentionally exposed via an API, and you then visit sites that make use of that API, you have given consent for them to use it. And if you don't like it, you can reconfigure said browser to block them.

[Retric]

Technology can have legitimate and illegitimate uses. Just ask the humble crowbar. Laws are how we codify such things and software is no different.

Consider, a computer virus is only doing what the OS/hardware allows it to do. By your reasoning that should be absolutely acceptable in all situations as TCP/IP is an API.

[sillysaurusx]

And if you don't like it, you can reconfigure said browser to block them.

Oh?

I'd love it if that were true. But increasingly, it's not.

Take the YouTube app on iOS. It has no extension functionality. And it's de facto the YouTube browser.

Is it a web browser? Depends how you look at it. YouTube is the web of videos.

Even if we're talking about the actual web, Chrome on iOS doesn't seem to be configurable with extensions. Certainly not easily reconfigurable. In fact, Apple blocks apps that become too configurable, like Expo's old "Scan a QR code and now see your app running immediately" functionality.

Sadly we no longer seem to live in the world where you're encouraged to reconfigure anything.

[dragosmocrii]

Well said! Now if browsers wouldn't have the option to manage certain things, that would be a different matter.

Food for thought: how about advertising companies needing to ask people for consent for showing them the ads; your local post asking for consent for delivering tou junk mail; etc... Lots of things are taken for granted and we just have to cope with it

[_jomo]

I'd like to point out that GDPR compliant sites don't need to ask permission for strictly necessary cookies.

I also recommend using Cookie AutoDelete for Chrome [0] or Firefox [1]. You can define a whitelist of websites where you actually need Cookies (because you want to stay logged in), and the rest will be forgotten when you close the tab. It even allows different rules in Firefox Containers.

0: https://chrome.google.com/webstore/detail/cookie-autodelete/...

1: https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

[jopsen]

> I'd like to point out that GDPR compliant sites don't need to ask permission for strictly necessary cookies.

That's also my interpretation. If you use cookies for session state, authorization, then it's no problem.

The problem is that every website decided that they needed to track users. Or that asking for permission would minimize liability.

[ChrisSD]

Even with tracking you merely need a privacy policy in a place users can find. It's considered implied consent to continue using a site if the site makes a reasonable effort to make you aware that such a policy exists.

However, what counts as reasonable hasn't been explicitly defined. The UK government considers it fine to use a header that automatically disappears after awhile (i.e. no need to click "ok"). But other governments may view it differently so I can understand some large organisations being cautious.

[simpss]

no such thing as implied consent in GDPR.

Here are the conditions for consent: https://gdpr-info.eu/art-7-gdpr/

Most sites don't adhere to that at all as there's pretty much no way to "not agree", which means they can not rely on consent as a legal basis for processing PII.

[kd5bjo]

I feel it's important to note that, although implied consent doesn't mean anything in a GDPR context, consent isn't necessarily required at all. It's only one of 6 different justifications a business can use to show their activities are legitimate: https://gdpr-info.eu/art-6-gdpr/

[Macha]

And they all have their own stipulations. Contract requires that the data is needed to perform your part of the contract, legitimate interests requires documentation proving you do need the data and weighed the risks to users

[Nextgrid]

The GDPR consent prompts are less about technicalities (are you using cookies or local storage) and more about giving the side permission to stalk you no matter what method they use.

The real problem here is the lack of enforcement of the regulations. The majority of GDPR consent prompts are obnoxious because they aren't actually compliant - compliant ones are much more pleasant. See this comment I just posted on another GDPR thread: https://news.ycombinator.com/item?id=21429666

Finally there's this misconception (it could be a lie perpetuated by companies looking to profit from GDPR-related consulting, or those looking to push back on the regulation by making it seem more annoying than it actually is) that all cookies require consent. That is blatantly false. Cookies to store site preferences (like language, font size), shopping carts or login sessions don't require consent as they're necessary for the functionality you're trying to use.

[raverbashing]

This is the right answer. I think the popups come mostly from a) an American interpretation of an European law and b) as a way to spite the users while "trying" to do the bare minimum to comply with the letter of the law (which might not be accepted as compliance)

And none of this farce would be needed if sites wouldn't track individual users. Showing ads don't require tracking individual users (and retargeting is frankly BS)

[gingerlime]

I honestly can’t figure out how these popups became so prevalent. They’re so obviously not compliant not just with the fine print of GDPR but with its spirit.

Even if you’re completely cynical about being compliant with GDPR I would imagine that not having popups like that at all is more compliant or less likely to get you in trouble than having those flagrantly-non-compliant ones...

[TheCoelacanth]

It basically the "I don't have to be faster than the bear, I just have to be faster than you" principle in action.

GDPR violations are so ubiquitous that regulators can't possibly go after all of them.

As long as you aren't a particularly juicy target and are doing the same things that everyone else is to pretend to follow GDPR, you probably aren't going to be among the first enforcement targets.

[kd5bjo]

There's also some cargo-cult legal reasoning going on as well, I think: instead of paying a lawyer to read the new law and tell you what you actually need to do, simply do whatever you see everyone else doing and assume it's fine.

[gingerlime]

But not doing anything visible might actually be better than pretty much advertising that you're not compliant. It might be easy to catch a bunch of sites using a 3rd party "compliance solution" popup banner in one big swoop.

[userbinator]

IE had it up to version 11:

https://www.technipages.com/wp-content/uploads/2014/07/IE-Ad...

Edge is dumbed-down and removes, among other things, that option:

https://answers.microsoft.com/en-us/edge/forum/all/cookie-co...

[oliwarner]

Storing data in a cookie is not the dangerous bit, it's the intent, the what you're storing that data for which matters.

A browser popping up a prompt saying "google.com wants to store a cookie, is that okay?" isn't enough.

The design of these cookie and enhanced data protection laws is that websites need to spell out their intent. To tell people what data they're storing any why. Yes, you could code that into headers and have the browser relay that information, but that's the stalemate we're in.

[wronex]

How about Firefox Temporary Containers?

https://addons.mozilla.org/en-US/firefox/addon/temporary-con...

I think they compartmentalize each tap until it is closed. Dunno if it only clears cookies or all other forms of storage.

Cookies get all the bad press when there is many other ways to store data. Or does the word "cookie" encompass all forms of persistent storage?

[Buge]

100% agree, I've argued for this same thing in the past.

https://www.reddit.com/r/worldnews/comments/7h28hi/google_co...

[kd5bjo]

Note that the GDPR isn’t just about cookies, it’s about all collection of personalized information, in any form. It also outlines plenty of scenarios that don’t require a separate permission request beyond simply doing business with a company.

We’re only in the midgame of this particular regulation— the rules changed “suddenly” and specified outcomes rather than methods. Regulators and businesses are in the messy stage of negotiating best practices as businesses change as little as possible and regulators give fines for misconduct.

The hope is twofold: that enough users will opt out to make problematic business models less profitable, and that the lower user friction of models that don’t require tracking will become relatively more successful. Neither of these goals is served by allowing a blanket permission setting.

[diminoten]

"Shouldn't" implies some kind of higher authority capable of enforcing such a feature universally across browsers, when no such authority exists.

Browsers give you all kinds of opt-out capabilities, if that's something you're interested in. The fact is, most people aren't interested.

[johnchristopher]

But those opt-out capabilities are as clear-cut as most of GDPR banners.

edit: mea culpa, I somehow missed bunch of keys and there is a missing negation in my comment which should read "But those opt-out capabilities aren't as clear-cut as most of GDPR banners." I mean: the UI isn't there to opt out of affiliated adtech networks or to store the amount of details the user is willing to share.

[NateEag]

Conceptually, there is no way to make trusting cookies both simple and transparent.

Even something as simple as a unique identifier can be used for both helpful and malicious ends. You'd need to read all the code pertaining to it to have a clue if it's something you should accept, and you can't ever know what the server's backend code is, even if it claims to be open source (it can always be running extra components that are not developed in the open).

So, opt-outs are inherently a flawed idea, at least with any granularity.

Turning off cookies entirely in your browser then opting all-in for sites you choose to trust is about all you can reasonably do.

[gpvos]

IIRC, in the early days, they did ask for every cookie.

[rzzzt]

lynx definitely had a "yes/no/all for this site" kind of question.

[dynom]

Your suggestion makes a lot of good sense. Cookies aren't the real threat though. Surely cookies are used for both wanted and unwanted tracking. Passive tracking however (fingerprinting of any form) will remain the threat we can't block and we won't know is happening.

If we add a mechanism to allow the OS to handle cookies, bypassing possible untrusty browser vendors. We won't solve much and create a false expectation, while (arguably) break more than we fix.

This doesn't mean we shouldn't, but if a method is found, it should include a significantly more comprehensive form of anonymity.

--2 cents

[rolph]

I usually right click and select an element blocker.

There was a time wayy back when a browser would prompt user when site requests to push out a cookie [up to about mid 90's AFAIR], but that was before the web was hijacked for commercial interests.

now there are often so many cookies with the typical website that a manual dialogue would waste all your user time.

so i think thats where the decision was made to include all cookies, in one broad permission setting.

[Rarok]

Internet Explorer (in the time of Windows 95) did that and people didn't liked and always checked the "Never ask my again" checkbox

[ecesena]

Browse in anonymous/private mode.

There’s unfortunately little difference between cookies used to keep you logged in and to track you. Therefore no cookies = log in every time. As long as you’re ok with that, go for it!

[simpss]

GDPR does not require "cookie consents forms" and neither do the EU e-privacy rules. There are clear exemptions for authentication and other technical cookies.

Basically, the form is only required if you're doing something nastier, like tracking.

I've never understood why sites just run with the concept and implement the "permission form" when it really isn't required for good actors.

https://wikis.ec.europa.eu/display/WEBGUIDE/04.+Cookies#sect...

ps: for firefox I use "cookie autodelete" extension https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

[butz]

Upcoming ePrivacy law should fix this nonsense with cookie banners. Although, having cookies permissions settings, like notifications and location in browser UI would be great.

[frippledipps]

It's just the beginning. Given the logic of the allmighty regime, each web link has to have a label describing all privacy impacts it might have if you click on it. The link will only open if you confirm.

[johnchristopher]

But that would place the responsibility to enforce GDPR on browsers vendors, not publishers. GDPR is about private information, the browser isn't interested in that, the publisher is, so the responsibility falls on the publishers.

[JohnTHaller]

They used to. Everyone hated it. They stopped.

[tinus_hn]

Do you really want 120 questions for each site you open?

[Buge]

It could be better than the current situation. It could give a single popup when you visit a site, and you would click yes/no and it would remember that forever. You would never get a popup for that site again.

With the current situation, there often isn't even a no button! You're required to click yes. And then if you ever clear your cookies, it pops up the box another time.

Additionally people who don't like the popup can simply go into their browser settings and say allow for all sites.

[zrm]

You don't need 120 separate questions, just a single list with all 120 cookies and their domains, with a checkbox next to each one and some "select/deselect all" buttons.

[EpicEng]

That literally almost no one knows how to use and clicks ok anyway.

[zrm]

It's not possible to make an informed decision about whether to accept a particular cookie without first becoming informed. No UI can change that. But it can at least provide the option for the people who take the time.

[DoubleGlazing]

It would be almost impossible to enforce. Publishers have a point of contact, an address or a hosting company, some sort of physical place where you can find whoever is in charge of the site. In other words, somewhere to send legal documents and summonses should a government wish to pursue legal action.

This is only partly true for web browsers. Google, Mozilla and Microsoft have addresses. But what all the browsers that have forked from open source projects? If someone forks Chromium and adds nasty features, how do you track them down if they did everything anonymously?

More to the point, if a law is passed that says "all browsers must do X,Y and Z". How to you enforce that in a world where open source is so prevalent? The big players may add the requirements to their flagship browsers, but if those browsers have open source underpinnings they have no control over the forked versions.

It's the publishers who are abusing browser capabilities, its much easier to force them in to compliance rather than trying to legislate how browsers work.

[jakemor]

> More to the point, if a law is passed that says "all browsers must do X,Y and Z". How to you enforce that in a world where open source is so prevalent?

Easier to enforce it on browsers than EVERY SINGLE website that uses cookies for tracking, no?