[Faint]

All this "do you agree to this and that" nonsense could be avoided by "inversion of control": instead of sites asking users whether they agree to this 100 page document, websites should be legally bound to listen and honor directives that users give about the data the sites gather.

For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.

Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.

[joshuaissac]

> Another possibility is, that the browser could, in a standard header, with a bunch of standardized flags, tell what the site may or may not do with the data they gather about the surfer.

There was a W3C standard called P3P which is similar to what you describe. It was implemented by Internet Explorer, but fell into disuse long before cookie notices became common. Bringing back something like that would be an improvement over having to deal with cookie banners per site.

[Macha]

It fell into disuse as compliance was strictly voluntary on the part of websites. So they did not comply.

[lallysingh]

In an international internet, how would any non-technical requirement get enforced? Legal is easy to skip. Just run the website by a subsidiary housed in a less regulated country.

[bscphil]

Isn't that just an "in theory" though? In practice, a ton of sites have these cookie warnings because the EU mandated them. If a large enough legal body mandated that websites obey prescriptive privacy statements from their users, most legitimate sites probably would.

[tgsovlerkhgsel]

The same way GDPR is enforced. Given the cookie popups I'm seeing everywhere, it doesn't seem to be toothless.

Realistically, if the EU were to impose such a rule, then any ad company doing business in the EU would have to follow it. Thus, any web site deriving any significant revenue from EU advertisers would have to follow it. I'd strongly assume that it's not possible to effectively monetize EU eyeballs without EU advertisers. Of course, anything operated by a EU company or hosted in the EU would also be subject to these rules.

While some local US news would certainly take the "we block all traffic from the EU" approach to avoid dealing with it, the advertising and tracking landscape would quickly and drastically improve.

If now, for example, California would also decide to copy these rules, this would very quickly be the worldwide standard.

[totalZero]

That isn't much of a solution if you do business in the foreign country whose requirements are being circumvented.

[jbd0]

Isn't it also possible that the site will not comply if you ask them to "not use cookies for advertising" via their form?

[ccheney]

There's also DNT (do not track) where the standards group was disbanded[1] in early 2019

[1] https://github.com/w3c/dnt/commit/5d85d6c3d116b5eb29fddc6935...

[eyelidlessness]

A much more naive version of this, the Do Not Track header, was removed from major browsers (partly) because it was actually being used for fingerprinting. I strongly suspect a less naive version would be subject to more abuse: as it gets more granular it becomes a fingerprint all on its own.

I understand that you’re suggesting pairing it with legal force, but I also highly doubt that would or could be effective in any kind of consistent way.

[GordonS]

I think another reason Do Not Track failed is that advertisers (e.g. Google) didn't like it. Microsoft setting Do Not Track on by default in Internet Explorer was likely the death knell.

[chrisrhoden]

The on-by-default setting was technically a violation of the standard, which meant that participants felt they could ignore the setting for IE, which didn't help the initiative for sure.

The industry-led-initiatives are all basically bad, for the obvious reasons. So many of them amount to telling ad networks whether or not the massive amount of data they have collected about you should be part of the consideration for what ads to show (for now) — many offer no possible way to opt out of recording and storing such data in the first place.

This is a situation where legislation is probably the only answer.

[panny]

>The on-by-default setting was technically a violation of the standard

A standard written for advertisers by advertisers. This is the problem. There are technical solutions, but the biggest advertiser (Google) makes the browser. This is the same as "the revolution will not be televised." The adversary controls the medium.

[toss1]

Attach it with legal force and money, as in allow users to sue for violations, and explicitly permit class actions with the definition of class (all people similarly situated; definition frequently abused by defendants) to be anyone with a browser.

Needs more work,, but the concept is that it needs to incentivize developers to develop track-the-tracker technologies that will catch violators, which then leads fairly directly to a profitable private suit (instead of relying on the overworked govt bureaus to do it).

[reaperducer]

For example, for cookies, legally force, with the cookie (with a standard protocol), transmit of "intent", like cross-site tracking, whether it is used for advertisement or something else, whether it may be shared with third parties, etc. Then the browser would simply not accept cookies with intent the surfer disagrees with.

And then you get Facebook spending millions of dollars taking out full-page ads in newspapers telling people that you are an evil demon who kicks puppies and hates small businesses.

(Ever notice that when Facebook wants to reach the most people, and the most important people, it uses newspapers, rather than its own platform?)

[gord288]

> (Ever notice that when Facebook wants to reach the most people, and the most important people, it uses newspapers, rather than its own platform?)

They do this when they want to get the attention of legislators, or the gatekeepers/editors of legacy corporate media outlets.

[Nextgrid]

I guess that proves his point - Facebook itself admits how worthless their advertising platform is when it come to influencing important/powerful people.

[renewiltord]

Right, but most of the time I don't want to influence powerful people. I want to sell shoes.

[dillondoyle]

One doesn't exclude the other. Facebook is incredibly valuable.

If they wanted to, Facebook could target directly 1:1 to decision makers on their platforms with their own data. It would probably be creepy though instead of just doing a blanket all of DC type promoted post.

[kelnos]

Sure, but I don't think FB was ever optimizing for that case. Businesses buying ads to get the masses to buy their stuff is far more lucrative.

[phjesusthatguy3]

Who, in your opinion, are "the gatekeepers/editors of legacy corporate media outlets"?

[devlopr]

The anti apple ads were run here:

The New York Times, Wall Street Journal, and Washington Post

https://www.google.com/amp/s/www.macobserver.com/news/facebo...

[phjesusthatguy3]

There aren't any anti-apple ads in your google amp link. Not even when I load them up in amp-player. Maybe macobserver.com fixed it, but I doubt it.

[rebuilder]

How would it look if Facebook started pushing it's own political propaganda in ads on their own site?

[klyrs]

Honest... about their scuzzines.

[reaperducer]

Like it was eating its own dogfood.

[2112]

Personally, I find that this [0] doesn't break many sites at all, but messes with cookies to an appreciable extent. Combine this to an extensive use of that [1] and clearing your cache and cookies every day, and I think you're in decent shape while some heavy and heavily lobbied government body inches towards doing something about it.

[0] uBlock Origin

https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...

[1] Firefox Multi-Account Containers

https://addons.mozilla.org/en-US/firefox/addon/multi-account...

[rakoo]

I went a step further and installed Temporary Containers. Unless the domain is a special one (and goes in a long-lived container), a new tab cannot share any content with other tabs. Whenever the tab is closed all site-related content is removed.

It's still a bit wonky because some sites do redirections, and it's not properly caught (unless there's some option I missed)

The next step is to disable _all_ cookies, even first-party, by default (unless I have a special relationship with the domain of course). It's working surprisingly well and I believe this should be the default.

[oauea]

> The next step is to disable _all_ cookies, even first-party, by default

I suppose you never login to websites?

[floren]

I'd assume he considers "having an account" to fall under the clause you snipped: "(unless I have a special relationship with the domain of course)"

[vorticalbox]

I did this too. Another pain point I've found is when logging into websites with github or other oauth provider requires grouping that website in with the services perminent container.

[Mathnerd314]

> clearing your cache and cookies every day

A good extension for the cookie part is https://github.com/Cookie-AutoDelete/Cookie-AutoDelete - it deletes all cookies from a site after you close the tab.

[ssss11]

You’re on the right track. Browser makers should be on the users side and websites should have to honour users preferences which are configured and sent to sites in the headers.

[matheusmoreira]

Completely agree. At some point, browser ceased to be user agents. They became mere viewers of content.

[hartator]

No one wants to be tracked though but they want the website to work. “All cookies” seem to play with that line. Don’t track me but allow website to work must be enforced on the client side. It’s what we do with uBlock origin and things in the like.

[ncallaway]

The new GDPR cookie banners are much better.

They are required to have a button to let you manage preferences, and are required to allow you to disable all cookies that aren't necessary for the site to function.

So, on any GDPR cookie banner I always click the smaller "manage" link instead of the "accept all" button. On the manage page, disable every option provided, then close the modal. I've never had a site that offered this kind of banner break in any way because of the disabled cookies.

[Macha]

You probably have had sites that either had no such options, or stuffed some tracking into required/legitimate interest/essential sections and tracked you anyway however.

[ncallaway]

I probably have.

And I haven't paid close attention, as I'm an American citizen and couldn't pursue sites over such a blatant violation of the law.

Were I a European citizen, however, I would watch extremely closely and absolutely be bringing complaints against sites that did that.

[remram]

This is more clicks, is often broken, and even if the button exist it may be tiny and hidden at the bottom of the list of all partners.

If I just clicked a link to a random article from search or social media, I'm not spending a full minute getting past the prompt on a website I'll probably never visit again. I'll click accept, and make sure my browser is loaded with all possible privacy extensions so none of it works.

[jimmaswell]

> all cookies that aren't necessary for the site to function

You know what is necessary for a site to function? Revenue. Therefore advertising cookies are necessary for the site to function and we shouldn't need these banners.

[Macha]

Very clever, everyone else who didn't want to comply with the rules had the same thought.

However:

Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects [1]

Section 3.3, Paragraphs 51-53:

> 51. Online behavioural advertising, and associated tracking and profiling of data subjects, is often used to finance online services. WP29 has previously stated its view on such processing, stating

> > [contractual necessity] is not a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his clickstream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services, for example

> 52. As a general rule, processing of personal data for behavioural advertising is not necessary for the performance of a contract for online services. Normally, it would be hard to argue that the contract had not been performed because there were no behavioural ads.This is all the more supported by the fact that data subjects have the absolute right under Article 21 to object to processing of their data for direct marketing purposes

> 53. Further to this, Article 6(1)(b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract at issue.

[1]: https://edpb.europa.eu/our-work-tools/our-documents/guidelin...

[ncallaway]

That's great and all, but then they're blatantly violating the clearly written rules of GDPR.

I'm an American citizen, so I have no real recourse with that, but their European citizens can bring the case to a regulator and they could very well be fined.

That interpretation goes against the spirit, and the very plain letter of the GDPR regulations.

That dog don't hunt.

[jimmaswell]

I'm aware Europe wouldn't actually accept this argument, it's just another reason I view GDPR as a blight on the web.

[ncallaway]

I mean, they rightly wouldn't accept the argument, because it's a poor argument given the protections that Europe has decided should exist for the privacy of individuals.

I happen to agree with the European values more than I agree with your values.

My data privacy should be a more important and more fundamental right than your ad revenue.

[notatoad]

what about an even simpler mechanism - a website offers cookies to the browser, and the browser can choose to either store or not store that cookie. if the browser chooses not to store the cookie, it's up to the website to inform the user that their browser has rejected the cookie and explain what functionality won't be provided.

[boxfire]

Would making all HTTP requests embed a header with a CCPA / GPDR claim be binding? It is as verifiable as any request through their form... its my original connection, so if they associate tracking data with me then they must associate this with me as well. Businesses should agree to my terms to make socket connections to me, else I should be able to see them in court. Proliferation is one way to end the modern shitty tracking madness.

> x-ccpa I do not consent to the sale or disclosure of my personal data and demand the deletion of my personal data per Californa CIV 1798.120, 1798.121, and 1798.105

[mnw21cam]

At a basic level, you shouldn't have to declare that you haven't agreed to something. You have only agreed to it if you actually do something to agree to it. The only advantage this could possibly have is if the web sites stop asking you to agree if you tell them in advance that you won't. However, I can't see that it would be illegal for them to ask anyway, so they will.

Secondly, this is another thing that would be used to fingerprint the web browser.

[msla]

Legally bound under whose laws?

We sometimes like to pretend that if a law is in force somewhere, it's in force everywhere, but that isn't the case. Otherwise, I'd be in serious trouble for saying I support Hong Kong independence. So you're creating these massively granular permissions and then passing some law, somewhere, saying they can't be used to fingerprint, but that's precisely what they will be used for everywhere the law isn't in force, which will likely be most of the world.

[GordonS]

I said the same thing in a recent thread about cookies, and someone pointed out that there had been some kind of proposal along these lines, but it hadn't gotten any traction. I don't recall the name of it tho. (it wasn't Do Not Track, it was more complex, where cookies had some kind of "intent"/category associated with them).

[eli]

Microsoft tried this 20 years ago with P3P: https://en.wikipedia.org/wiki/P3P

It's really really hard to come up with a machine readable code that encapsulates what each cookie means and does.

Also obviously true bad actors would just lie.

[remram]

In practice, this is what most people do: click "accept" to make the prompt go away, and use extensions to block the tracking scripts and cookies...

[Shivetya]

eventually all sessions will have to operate like they are in a private window keeping the cookies permanently isolated to the host site visited and quarantine any third party cookies perhaps even find a means to spoof them.

in effect our browsers will need a db type tech to manage cookies and only serve them back when appropriate. a lot of what sites want to preserve for us; log in and such; can easily be done without cookies

[wombatpm]

Now we are back to setting the evil bit on IP packets? Bad behavior will flourish until there are penalties commensurate with the benefits obtained.

[maxerickson]

I just tell my browser to discard all cookies at the end of every session (with a list of sites to keep).

[tagawa]

Take a look at Global Privacy Control (GPC) which aims to do similar to what you’re describing, and is legally binding under CCPA and could be under GDPR too: https://globalprivacycontrol.org/