[pornel]

Reminder that we've already had a spec for it. In the 90s! And it even has been implemented in the Internet Explorer: https://www.w3.org/P3P/ It did absolutely nothing for privacy. Google has been sending bogus P3P headers that broke IE's implementation and allowed all cookies.

Adtech companies don't want users to have an easy opt-out. They didn't want P3P. They didn't want DNT. They will not want this new spec, unless the spec is so bad that most users will agree by accident.

The annoying and confusing cookie banners are a feature. Besides making people agree through confusion or attrition, the banners are malicious compliance. Adtech companies putting them up want you to be pissed off at the banners. They want you to associate them with privacy, and conclude that privacy laws are pointless and should be repealed.

[leokennis]

This exactly. This is also why I never feel "ashamed" when sites ask me to please disable my ad blocker because when I block ads they'll go out of business. Or why I'll always decline even "user respecting" ads on sites.

We're fighting the ad and tracking industry here, the internet equivalent of a gang member with a shiv and a length of pipe. I'm not going to fight nicely. I'll deny you any chance and any method I get.

[howaboutnope]

> People are taking the piss out of you everyday. They butt into your life, take a cheap shot at you and then disappear. They leer at you from tall buildings and make you feel small. They make flippant comments from buses that imply you’re not sexy enough and that all the fun is happening somewhere else. They are on TV making your girlfriend feel inadequate. They have access to the most sophisticated technology the world has ever seen and they bully you with it. They are The Advertisers and they are laughing at you. You, however, are forbidden to touch them. Trademarks, intellectual property rights and copyright law mean advertisers can say what they like wherever they like with total impunity. Fuck that. Any advert in a public space that gives you no choice whether you see it or not is yours. It’s yours to take, re-arrange and re-use. You can do whatever you like with it. Asking for permission is like asking to keep a rock someone just threw at your head. You owe the companies nothing. Less than nothing, you especially don’t owe them any courtesy. They owe you. They have re-arranged the world to put themselves in front of you. They never asked for your permission, don’t even start asking for theirs.

-- Banksy

[leokennis]

Saving this text. Very accurate.

[AnIdiotOnTheNet]

I agree that we should not feel shame at blocking ads. I remember when the web was new and "pop-up blockers" became a thing. Ad companies and everyone using them have long ago burned any and all good will we might have had towards them and deserve nothing but our contempt.

[exporectomy]

Then Google came along promising no intrusive banner ads or popups. They would make their money from quieter personalized ads that knew what you wanted because they had more data about what you were doing. People loved the idea. It was going to save the internet from the horrible advertising industry.

[jraph]

Actually, I seem to remember that these ads were contextual at first, not related to any profile they would have built for you but only related to the content of the page.

Which is entirely different. Ads are still manipulative (by design), but at least purely contextual ads don't track you.

[exporectomy]

Oh that's right. With gmail, people assumed they would be based on your email contents but sure if Google actually ever did that.

[jraph]

They did. They actually stopped not long ago (2017): https://variety.com/2017/digital/news/google-gmail-ads-email...

[rchaud]

I remember IE6's so-called blocker failing to block a lot of popups. It wasn't until I discovered Firefox in 2004 that I stopped seeing them.

[411111111111111]

Just a small reminder for people using Firefox and ublock origin: you can remove almost all cookie prompts by enabling the annoyances filters in the addon settings

[MiddleEndian]

You can also block all sorts of annoyances. Last year I added ##.ytp-pause-overlay to my list, now when I click to pause embedded youtube videos all the useless crap like "more videos" does not show up. I also tend to block any sort of mouseover modals that show up on sites, like profiles on forums or reddit.

[freediver]

Want to add that uBlock Origin is not only exclusive to Firefox. If you prefer a WebKit-based browser you can use Orion on Mac with uBlock Origin.

[soperj]

I can't find that. Could you be more specific?

[Groxx]

"Filter Lists" settings-tab -> expand "Annoyances" -> Fanboy's is by far the most popular one. Otherwise read the pages they link to / view the content (many have descriptions in content) - many of them are intended to work with Fanboy's, but if not you may have excessive duplicates.

[soperj]

Thank you!

[equitablequal]

Anyone not using Firefox/Ublock; you can use NoScript to block the banners, and a lot of other adtech (including some paywalls such as Bloomberg) as they are all JS-powered.

It's quite surprising to see how many JS plugins are in operation on a typical consumer site, and satisfying to know they were all blocked unless expressly permitted :)

[gnyman]

And if you don't want to or can't install noscript, you can use my little hack https://noscript.it/ to view a page without javascript.

Note that it is a hack/poc and does not always work, especially the x-frame-detection is iffy so if you try it and just see a blank page try the "enable proxy" checkbox. I use it every now and then on iOS to get around some especially obnoxious JS, but if there were more users I would be more motivated to improve it (hint hint:-)

[Arnavion]

Keep in mind, however, that you will end up enabling all the "Please enable Javascript to view our website (even though our website works well enough for your casual visit without it)" banners, that are enabled in the HTML by default and hidden by JS :)

For example, one particular maroon-headwear-related Linux distro's bug tracker has a particularly egregious blinking bright red banner, asking you to enable JS for the website to "function correctly", even though reading bugs on said tracker works fine without it.

[apple4ever]

And on Safari use Hush!

[imiric]

The ad industry eventually ruins any medium it touches, and is responsible for spreading misinformation and propaganda that have killed millions.

It ruined print when every other newspaper and magazine page had an ad mixed in with the content. Sure you could get the paper for free, but how much content are you actually reading?

It ruined television when an hour-long show is interrupted several times to show 15 minutes of ads.

And now it's ruining the web with the advent of ad tech and the brilliant minds that get paid millions to think of new ways of squeezing more value out of people's attention. Web sites are riddled with ads now even worse than in the popup days. I have to navigate a legal minefield of dark patterns to ask them to please not track me or sell my data.

These are just the ways it ruins content and user experience. What about the misinformation? The lies from the tobacco industry, the political ads that overturn democracies, astroturfing and embedded marketing...? The list of shady and downright evil practices is too long to mention.

Advertising is a scourge on humanity. It needs to be strongly regulated and companies as influential as Google and Facebook need to switch to user respecting business models, for the sake of all of us.

[hoppla]

You might show me ads, but not track me, privacy badger stops you from doing that. But if your ads are trying to track me, then privacy badger stops that too.

[handrous]

I'm not likely to bother blocking first-party images or other content so-delivered. Odds are I won't be bothered enough by those to block them, or if I am I'm more likely to abandon the site than to start blocking that kind of ad on every site.

The problems are the tracking and the ad networks that kinda treat both the viewer and their site-hosts as consumable resources, but that sites can't realistically avoid if they want/need ad support, because that's where all the money is. Break the ad networks, break tracking (and I mean legally, in both cases—tech means for blocking are doomed, IMO) and ad money won't go away, it'll be redirected to less-awful ways of delivering ads.

[_nalply]

You are generous.

However I don't want any content which could be distracting or plain unsafe for mental wellbeing. One example are the ads for violent games on BlueStacks when I was using the emulator for Android education software for my children.

No thank you. Any content I can't control will be kicked.

Either by using adblockers or by just not using the service.

[BitwiseFool]

Advertising is mental pollution.

I dated a woman who experienced trauma in the past and she would routinely get horror movie trailers in YouTube. Even I found them disturbing. Neither of us had any interest in getting intrusive thoughts from watching assault and body horror. Putting in uBlock Origin did wonders for her well being.

[eli]

Unfortunately the ad blockers are not usually able to tell the difference between first-party ads and network ads. In practice both from an ad server.

I think there's actually a great opportunity for someone to create an ad server that only serves first-party ads with no tracking.

[yoz-y]

The Deck was such a thing. It was sort of invite only because once you go first party you have no way to validate the user base so you need to trust the partner. For ads that result in direct sales this can be easy to do though.

[eli]

It was more of an ad network, no? Also I think it shut down.

I'm talking about something even simpler than that. I have my own website and I have my own advertisers who want to put ads on it. I need a way to serve them and do contextual targeting (e.g. stories about a certain topic) and frequency capping and forecasting and the other sort of basic stuff I expect from Google Ad Manager.

[dmitryminkovsky]

> The annoying and confusing cookie banners are a feature.

Not just that, but I’ve never seen a cookie banner that does anything. Cookies get sent down with the page on the initial load. Whenever I’ve opened an inspector to see if cookies get unset by JavaScript in response to my “opting out,” I’ve never seen an effect. The same cookies get sent after I opt out: no change. Has anyone seen a cookie preference banner that actually does something?

[Symbiote]

Look at well-funded government or other public websites.

https://www.gov.uk/, https://www.nhs.uk/, https://europa.eu/, https://home.cern/, https://www.bundesregierung.de/ (maybe), https://www.dr.dk/ (maybe).

[simpss]

smaller, local(to me) sites have started to have cookie banners that have an effect. My bank, 1/3 of the bigger news sites here etc...

They all started with a single "agree" button, then went to "agree/disagree" with no effect and are finally starting to come around to a functioning disagree button.

GDPR also helps here, as it defined what identifies an individual and that made most of the tracking PII even when it's all merged by a random ID that stays with the user. The effect is slow, but it's starting to work.

Hopefully the next step will be abandoning cookie banners and only using technically required cookies(don't need conset) and/or non-identifying tracking for aggregate results. This is a massive improvment on UX and actually gives the company more quality data that doesn't identify any single individual.

I'm personally pushing for aggregated tracking in my current company. It's an uphill battle, but one that can be won I think.

[imiric]

> non-identifying tracking for aggregate results

That sounds similar to FLoC, which is still very much identifying[1].

The solution to user tracking isn't less identifying tracking. It's no user tracking.

[1]: https://blog.mozilla.org/en/mozilla/privacy-analysis-of-floc...

[eastendguy]

"They want you to associate them with privacy, and conclude that privacy laws are pointless and should be repealed."

Once in a while I read/learn something new at HN that changes my perspective on things. This sentence is such an example.

[patates]

I agree but I changed "pointless" with "hopeless" for a better effect on my end.

[worldsayshi]

Unless regulators force companies to respect automated protocols.

[sascha_sl]

This. You can see the impact of this on the new iOS tracking permissions. Most people want to opt out, but can't. Regulators stepping in would spell the end of large sections of the online advertising industry, so I doubt it'll happen.

[xbar]

Regulators in the US do not seem to be completely in the pockets of the online advertisers quite yet, given recent legislation proposals. Regulators in the EU, even less so.

[dividedbyzero]

> Most people want to opt out, but can't.

Not following this too closely, I thought that's possible now, or at least as soon as the last few holdout apps get updated?

[Macha]

That's the point, by Apple taking control of the interface and preventing dark pattern bullshit, opt in rates are way lower on iOS than on websites.

[2T1Qka0rEiPr]

I thought this exactly. Kind of like US requiring pension plan options to be provided in a certain consistent layout etc., were this spec to be demanded by e.g. the EU, then it could see a really positive shift

[belorn]

The GDPR already explicitly forbids 95% of the cookie banners out there, but large companies decided to ignore it and simply face the fines if they in some hypothetical future will arrive. The rest of the industry followed.

Until the law that defined informed consent actually get enforced, a new law can not really fix it unless the regulators start to add the threat of jail time to repeat offenders.

[galgalesh]

> but large companies decided to ignore it and simply face the fines if they in some hypothetical future will arrive.

This is not the case. The fines are up to 2% of annual global turnover. This scares companies.

Moreover, some of the worst offending cookie banners are slowly being replaced by better ones as more and more organizations (such as noyb) file official complaints and companies get fined.

[krageon]

> This is not the case. The fines are up to 2% of annual global turnover. This scares companies.

You are wrong. The initial fine is much, much lower and companies have so long to dabble in wilful ignorance that it is at the moment not something that has teeth. Companies are like bullies, they don't respect threats - only harm.

[JumpCrisscross]

> initial fine is much, much lower and companies have so long to dabble in wilful ignorance

Another diluent: the maximum fine is practically the lesser of 2% and the NPV of business in that European country, or, expansively, in Europe. If you have little business in Europe, it’s cheaper in some cases to simply close shop.

[labawi]

I'm pretty certain an actual fine (not ceasing operations) has a limit of max(10M€, 2% worldwide revenue of previous year) and double if you're antithetical to GDPR. Also, it's per infringement and isn't a yearly free pass to continue once you're fined.

Companies are not doing much because enforcement is lacking, and in case you get caught, most fines are in the neighborhood of reasonable rather than instant liquidation.

[0] https://noyb.eu/en/irish-dpc-handles-9993-gdpr-complaints-wi...

[anoncake]

It obviously doesn't scare them enough, even if it should in theory.

[nicoburns]

An standardised protocol approach might make enforcement easier. It would make it a lot more clear cut whether someone was infringing or not.

[Nextgrid]

Automated enforcement is already easy if there was willingness to do it. The majority of non-compliant cookie banners use a handful of libraries and/or third-party services such as TrustArc so detecting these with a web scraper is be trivial.

[M2Ys4U]

Noyb - one of the organisations behind this proposal - have started contacting the operators of non-compliant websites,[0] as the first step in forcing them towards compliance.

If they change their ways then good, if not Noyb has a much more solid case when making a complaint to the SAs and/or the courts.

[0] https://noyb.eu/en/noyb-aims-end-cookie-banner-terror-and-is...

[virgilp]

I mean, a good first step would be to start fining companies 2% of the revenue. Especially Google. And then maybe automate the GDPR fines, because it's definitely possible to identify that a site puts up a non-compliant banner.

No need to add the threat of jail time, _especially_ if it isn't enforced.

[delfinom]

2% of revenue while stalling the GDPR process and taking it to court for 10 years makes it only 0.2% ;)

[virgilp]

Even so, it would be 0.2% per EU country, right? Because the legislation is transposed into member states legislation. I doubt that anybody would really want to fight (& risk losing) in even 5 member states per year...

[vntok]

That would be 2% each year for ten years of infringement though, and very expensive lawyers to pay for at least that duration.

[pulse7]

It is time for the governments to take control back and start regulating BigTech: you can not easily opt-out from any data gathering from Google, Microsoft, Apple, Facebook, ... If you try it and turn it off on mobile phone and desktop you will constantly have issues and be flooded with messages like "turn on location services", etc. Yesterday I learned that my private calendar on my phone was replicated to Google Calendar >>for many years<< without my knowledge, because the default setting was to save new events into Google Calendar and not a local phone calendar... and I was not asked during setup if I would like that (I have turned off all replication / data sharing / etc.)... this is just crazy... they are basiclly STEALING MY DATA and sending it to the cloud where it is processed without my knowledge... I hope they pay BIG MONEY for these GDPR breaches...

[II2II]

I doubt there is an easy fix in cases like Google Calendar due to consumer expectations. Simply put, there are certain types of data that many consumers expect to be synchronised, and those of us who have the opposite expectation (or only want certain data to be synchronised) are likely in the minority.

This is somewhat different from most tracking done on the web, which is done for the exclusive benefit of those doing the tracking.

[sam345]

How is this possible? Probably forgot you gave consent to Google calendar?

[ryukafalz]

Recent Android phones sync a ton of stuff automatically - which I suppose you agree to by signing in with a Google account, but that's also typically required. I know this because on the last two Android phones I purchased, a set of old outdated contacts from my Google account were automatically synced to the phone as soon as I logged in, which I was required to do to begin using the device.

Believe me, I would have opted out of this had I been prompted to do so during setup.

[pulse7]

Time to go away from GMail account...

[pulse7]

I checked again exactly why this happened: Samsung Calendars app (which is a default calendar app on Samsung phones) has set a default calendar for my new events to my Google Calendar account. And if you just enter the event title and set the time (what one would usually do) - and leave all other settings untouched - then by default it will be added to your Google account which will then be synced to the cloud... You can change these settings (see [1]), but the default is wrong!

[1] https://eu.community.samsung.com/t5/galaxy-s9-series/default...

[pulse7]

Be sure that I didn't give any consent...

[mffap]

I would argue that times have changed. Sure, there's still misaligned interests between ad providers and users in terms of privacy. But I think the EU regulators found the right level of financial incentives to change some of the worst habits.

[sebastian_z]

The ad industry is not monolithic, though. Some people want to genuinely move on to less privacy-invasive business models; others not. I have been to industry conferences where the advice was "well, if you do not like the Do Not Sell link on your site, maybe it's time to stop selling and start changing your business model."

What is different this time around compared to P3P, DNT, and other earlier mechanisms is that the times have changed. Privacy is a much bigger topic. There is much more reporting now about privacy. Users understand a bit better better (though, we are still far off from real transparency). Lawmakers and regulators are catching up. Many companies embrace privacy. There is a burgeoning privacy tech industry with quite a bit of venture funding.

Also, lessons were learned from earlier efforts. CalOPPA required recipients of DNT signals to only say whether they respect those. The CCPA regulations now require actual compliance. If the CCPA is applicable to your company, you have no choice but to respect it. And that is also true for automated browser signals. There is much stronger enforcement now behind more recent privacy laws. Virginia and Colorado recently enacted privacy laws, and it is likely that other states will do to.

Disclosure: I am an academic researcher working with collaborators of all stripes on Global Privacy Control (GPC) [1, 2]. We are in touch with the good folks at ADPC and support their work. They are doing a fantastic job over there!

[1] https://globalprivacycontrol.org/ [2] https://github.com/privacycg/proposals/issues/10

[unknown_error]

Thing is, how is regulation supposed to ever keep up with the rapid advancements of technology and advertising and the lobbies that come with all that revenue?

Capital and technology need not respect sovereign borders and laws as long as they can keep one step ahead of enforcement and still get enough revenue. The laws and lawmakers are fundamentally slower and weaker and poorer; by the time CCPA et al have an actual deterrent effect (beyond just mandated privacy notices), the industry will have moved on to some more sinister loophole.

It's an arms race that 1700s-style government simply cannot keep up with. It takes months to come up with new algorithmic loopholes, decades to change the law, one industry-friendly administration to undo all the progress.

Offloading privacy to government only works when you have strong states (China, the E.U. maybe). In the US, what's left of the federal government is too crippled to effectively tackle this (and arguably any technological problem) at scale. State-specific laws are subject to the same constraints, and additionally face the problem of enforcement across borders and Commerce Clause issues. If anything this will be an arms race between adtech and adblocking; Congress is the kid in the corner crying, "But I wanna play too!" and pretty much shrugged off by everyone else.

[stonemetal12]

Simple the law should be written in a technology agnostic way. Something along the lines o f"Services shall not track user behavior beyond what is necessary to render service, and user behavior shall not be sold to, shared with, or otherwise made useable by third parties without user consent" Then it doesn't matter what technology you come up with in the future it is covered.

[unknown_error]

That doesn't really work long term. "necessary to render service" might include advertising dollars. And who is a "third party"... If ad networks reorganize into a cooperative that offers services directly to publishers in the manner of AWS, are they still a third party? And user consent, what if it becomes a requirement to consent before you can access data, or opting out gives you diminished functionality...

None of that is far fetched. Facebook, Google, Apple etc. all track and use first party data. If anything this just consolidates advertising power into the hands of an oligarchy that's already largely above antitrust law.

The law is never simple, exhaustive, or agile when it comes to regulating technologies.

GDPR has been the most successful of the bunch and all it really did was force a bunch of cookie notices and deletion processes. That still largely depends on people being lazily accepting advertising.

Any proposed law that singlehandedly destroys ad tech is unlikely to either pass or stay relevant for more than a few months.

[dvfjsdhgfv]

> They want you to associate them with privacy, and conclude that privacy laws are pointless and should be repealed.

This is a sentiment expressed surprisingly often even here on HN.

[MagnumOpus]

A huge proportion of posters either work at adware companies or are big time owners of adware stocks.

And as the Sinclair adage goes, it is difficult to get a man to understand something when his salary depends on his not understanding it.

[cratermoon]

I used to work in adtech. My position then, as now:

1. targeted ad buys are mostly a scam. Research shows that they are barely more effective than old-fashioned contextual ads.

2. Contextual ads, aka "dumb" ads, the kind that show ads based on the content they are displayed with, are fine.

3. adtech companies depend on advertisers not understanding (1) and publishers chasing dollars by signing up with ad targeting networks.

The ones that are actually making money are the ad networks, and it is in their interest to spread FUD about (1) and not offer (2), as they make their money as a percentage of every ad sale (auction) transaction, and the CPM is higher on targeted ads because of ignorance of (1)

[dvfjsdhgfv]

Well, just like many others I own - both directly and indirectly - some tech stocks, but it doesn't influence my view on privacy at all.

Actually, the view that they have to either do unethical things like tracking or perish is one of the greatest fallacies and a sign of lazy thinking.

[jjk166]

This is intellectually lazy. You can't just assume that the large numbers of people who hold a position you disagree with do so only because they have some secret bias. It's a position which is not falsifiable and which absolves oneself of having to think critically about their own position.

[rchaud]

One man's 'intellectually lazy' is another man's 'educated guess'. Or as this community loves to say about others, "“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”

There are plenty of people online playing devil's advocate because one day they too could be rich and they don't want the harsh yoke of government regulation holding them back.

On HN, part of the audience is in closer proximity to that kind of wealth, and their arguments in favour of that status quo reflect this.

[jjk166]

Call it whatever you like, it's still a an unfalsifiable claim resting on fallacious reasoning.

As a general best practice, if you are convinced something is true, ask yourself "what evidence would someone have to show me to convince me this is not true" - if you can't think of something, there's a problem.

[kodablah]

I am completely outside of adtech influence and even I can recognize that the costs may outweight the benefits of the current state of government-attempted adtech regulation. Most arguing against these laws are either more libertarian wrt tech, or take umbrage with the specific nature and enforcement of the law.

Almost everyone wants privacy limits, they just don't agree on the current measures (or their previous ones, or the ones before that, or doubling down on continued failed policy approaches in the future).

[orangecat]

By this reasoning, you must be a Google shill since the GDPR has been great for their market share: https://globaldatareview.com/competitionantitrust/study-gdpr...

[eli]

P3P wasn't great. It's pretty hard to reduce the nuance of how you're proposing to use data down to a handful of fields that will be automatically processed.

I remember spending a silly amount of time trying to come up with a P3P policy that was both accurate and also didn't break sign-on for a single app that used multiple domains.

[Placido]

Just use Super Agent. You choose your preferences once and that's it. And once iOS 15 is out, it will be available in mobile.

[freediver]

What is Super Agent?

[bwindels]

As I understand it, the idea would be to make respecting these automatic signal mandatory in an update to the GDPR. See https://techcrunch.com/2021/06/14/europe-needs-to-back-brows... for some more context.

Granted though that enforcement of the existing rules seems to be the biggest problem today.

[ComodoHacker]

And if a browser or extension abuses these signals (i.e. always sends them without user's explicit and informed consent), who is liable?

[majewsky]

Liable for what? GDPR says you can only collect data if you have informed consent from the user. It does not imply any right on the side of the business to be able to obtain such consent.

[morelisp]

> Adtech companies don't want users to have an easy opt-out. They didn't want P3P. They didn't want DNT. They will not want this new spec, unless the spec is so bad that most users will agree by accident.

Reminder that Internet advertising has a lot of actors with competing interests, and it is not usually the "adtech companies" who don't want users to have an easy-opt out, but publishers and to a lesser extent the advertisers. Many "adtech companies" would love to have clearer legal signals and simpler, industry-wide justification to collect less data.

Publishers have been very good at foisting all user frustration off on vague "adtech" (or alternately, adtech companies have been effective at reputation laundering for publishers/advertisers) but they're the ones that want to collect, share, and sell the data to be able to raise their rates.

[Ensorceled]

This is fundamentally misunderstanding how internet advertising works:

advertises will pay higher CPM for precise targeting and attribution

publishers want the best CPM they can get

adtech uses as many tricks as possible to get as much information as possible about a user so they can maximize the CPM the advertiser will pay

Publishers just end up doing what ever their adtech partners tell them will give them the best CPM.

[morelisp]

Haha, no. You're falling for the trick, or maybe you're just 10 years behind.

Publishers (and retailers, and anyone with a dataset) seek out adtech partner companies, to justify high CPMs and to sell their audience data. Adtech companies are market-makers, it's been years since the data they can get independently of supply-side partners was worth shit.

The publisher is the one with the cookie warning and consent forms! The publisher is the one who wants you to log in with a stable ID! The publisher is the one with a model of you regardless of your ad or tracker blocker settings! The adtech companies will sell you downstream for sure, but the publishers are the ones deploying as many tricks as possible to gather data.

And yeah, adtech companies will advise them about how to effectively gather data. That's a lot less about "tricks" and more about how to build salable taxonomies instead of data lakes full of garbage. To the extent it's about tricks, it's more often the adtech companies having to patiently but firmly explain, no, you can't just hardcode a single consent state for all visitors and send that to us in lieu of a real CMP. (A purely theoretical example, of course...)

[imiric]

You're being very generous to adtech's role in this. Any undisclosed bias?

Adtech is very much instrumental in the race to extract as much value from attention as possible.

Adtech built a market for advertisers to target users based on interest (which may or may not be a scam[1]). Advertisers exploit this and other tools at their disposal (astroturfing, embedded marketing, etc.), but they're certainly not as vicious or out of control as what adtech can produce.

The publisher has my information if I give it to them or if they buy it somewhere. Adtech has it regardless of what I do. Why would a publisher even want a model of me when what they want is for their product to reach me on as many sites as possible, not just their own? An adtech company having as much information on everyone can serve many publishers, so it's no wonder the system is so centralized.

[1]: https://news.ycombinator.com/item?id=27531714

[Ensorceled]

> Publishers (and retailers, and anyone with a dataset) seek out adtech partner companies, to justify high CPMs and to sell their audience data. Adtech companies are market-makers, it's been years since the data they can get independently of supply-side partners was worth shit.

You're correct, for large publishers ... I guess we could almost say they are adtech companies now.

[mindslight]

IMO it's easier to just call them "surveillance companies" and be done with it. Regardless of whether they're collecting, storing, or processing surveillance data, they're all in the same business as Equifax, Google, Lexis-Nexis, and NSA.

[morelisp]

I don't think it's useful for analysis or activism to group Equifax, Google, the NSA, the New York Times, Humble Bundle, Twitter, Airbnb, Walgreens, etc. under a single term. The flattening of this mess down into "adtech" is how most of them have avoided scrutiny, and relabeling that "surveillance" doesn't make the relationships between them any clearer.

[roblabla]

The thing about this new spec is that it's compatible with the GDPR in a way that could make adopting this a legal requirement, given enough lobbying effort. It'd be a long battle, but I could foresee a future where regulators require adtech to implement this spec to obtain consent.

That won't stop them from additionally using cookie banners, out of spite. But I suspect many websites that currently have cookie banners only have them because they believe it to be necessary, and it's hard to push back on it. If such a spec came to be recognized as a way to obtain consent by regulation, it'd make it easy to point its way, and at least end the madness of cookie banners on websites that don't need it.

[denton-scratch]

"the banners are malicious compliance."

I agree. But I don't think it's because adtech want you to think privacy is shit; I think it's because by compelling you to click, they can run Javascript in the context of a user gesture.

I want a plugin that automatically says "OK" to cookie banners. My browser already blocks 3rd-party cookies. It only allows session cookies. Cookie banners are like fire-hydrant CAPTCHAs - they masssively increase the friction that web users have to deal with.

They also legitimise other kinds of popup window that websites present. I've noticed more and more popups appearing on first visit to a site, inviting me to subscribe to a newsletter or whatever. You often see a cookie banner, followed by a newsletter popup, followed by a Google login popup. Who knows, maybe there's a traffic-lights CAPTCHA.

Then finally you're into the site, and it turns out to be Washpo or NYT, and you can't read the article anyway, because it's paywalled.

Can we have our open web back please, mister?

[ginko]

>I want a plugin that automatically says "OK" to cookie banners.

Why would you want that? Even if you delete 3rd-party cookies that would still allow tracking companies to log your IP and track you through some other shady means which you've now consented to.

[denton-scratch]

Because it makes no difference to my assurance-level which button I click. There's no way of knowing what they do serverside with your form submission (and it nearly always is a form submission).

Cookie approval has to be under the control of the user, not the website. So it has to be done by the browser or an extension. So if I have user-controlled cookie-approval, I might as well click "OK" on the form - the site might treat me better if I do.

[loloquwowndueo]

“ I want a plugin that automatically says "OK" to cookie banners.”

Try “I don’t care about cookies” :)

https://www.i-dont-care-about-cookies.eu/

[bwindels]

Is this extension trustworthy? It is "recommended" and says GPL3 but there is no link to the source code anywhere.

[tcit]

The author doesn't publish the extension sources. https://reddit.com/comments/bru6wd/comment/eohtox3

[grey_earthling]

Their argument is that the extension as it's distributed is essentially a zip file containing the source code.

[cratermoon]

I don't think that's quite in compliance with GPL3, but I'm not a lawyer. The bundled release artifact doesn't allow someone to build the extension, and I think GPL3 takes that into account. If I have a Java program, I have the bytecode, and unless it's been run through and obfuscator, I can pretty easily recreate the Java code. But the GPL3 doesn't count that as compliant.

[denton-scratch]

Thanks - I'm looking into that.

[joepie91_]

A much better option is Consent-o-Matic, which will reject cookies for you automatically.

[nickpp]

Visit https://gdpr.eu or https://europa.eu/european-union/index_en "The Official website of the European Union". Look down. Both have cookie banner.

The emperor is naked. The GDPR law is broken.

[quotemstr]

But privacy laws are pointless and should be repealed.

All this noise about cookie privacy, fingerprinting, FLoC, tracking, etc. --- what are the actual harms that make these things bad? Has anyone in the real world ever experienced a concrete harm arising from interest targeting? Doubtful.

The EU privacy regime imposes a heavy regulatory burden in exchange for nothing. Information is a non-rivalrous good. Further limiting its dissemination will increase friction all over the internet, impose new transaction costs on previously free interactions, and make the whole network less useful for everyone. And for what? Assuaging the paranoia of a tiny fragile and vocal minority of privacy activists? Sorry, but that's not worth breaking the internet.

[Santosh83]

Information is power. The more information about more people with more depth to the graph is amassed by Big Tech and 3-letter agencies, the more soft power is accrued over large groups of people, economies, processes and even nations.

And this ability is currently asymmetric. While Big Tech and Big Govt knows nearly everything about everybody, ordinary citizens are denied data and transparency. And even if the data may be hypothetically available, its scale precludes analysis by anyone except highly funded groups.

Lack of privacy does translate to enormous soft power. It doesn't have to result in death, although the potential is there for that too. Democracy and individual liberty become meaningless except on paper.

I'm not sure that's what we want, in exchange for a few conveniences in the palm of our hands.

[quotemstr]

> The more information about more people with more depth to the graph is amassed by Big Tech and 3-letter agencies, the more soft power is accrued over large groups of people, economies, processes and even nations.

Is there any evidence that Big Tech and Big Government are actually controlling people by tagging them in some database (which no human actually inspects) as being interested in hiking gear and cookie recipes? Give me a break.

What you've described isn't a concrete harm, but an emotion --- specifically, fear. Lots of fears are baseless. So is this one. We shouldn't organize society around the baseless fears of tiny vocal minorities.

[handrous]

We call it stalking when an individual does it.

It should be, flatly, illegal to collect that sort of data about people without a business need to do so, and illegal to use it for any other purpose, transfer it to any other entity without the same restrictions on its use, et c., when it's needed (like: credit card companies and banks obviously need to know where & when you spend money, but they shouldn't be able to use those data for anything else at all—no aggregating and re-selling to others, no mining spending trends for investment intelligence, no targeting ads at you based on it, none of that).

[antris]

Companies who track your information, including FAANG get regularly investigated and often fined for violating antitrust laws when they use the data they've gathered to limit or outright kill competition. I find it disingenuous to ask for evidence of some kind of vague "companies controlling people" when it's obvious that they do it on a larger scale all the time.

No, companies do not mind control people on an individual level, but what they do has all the traditional effects of monopolies/oligopolies that are not democratically controlled by the people affected but a handful of rich executives.

I'm not even going to go to the "advertising controls people" dialog tree. If it's not obvious why having the power of putting anything you want in front of billions of people is powerful, then I don't think there's a discussion worth having.

[quotemstr]

> it's not obvious why having the power of putting anything you want in front of billions of people is powerful, then I don't think there's a discussion worth having

There it is. It's not about tracking per se. It's really about control over advertising and information dissemination more broadly.

Motte: preserving user privacy by blocking cookies

Bailey: let's tightly control who can put messages in front of the general public

[antris]

Is putting barriers into how huge multinational companies can exploit their data farming to cement an unchallengeable position in the market and kill off competition or dissent within the system "tight control into who can put messages in front of the general public"?

You are framing this as if I am somehow advocating censorship towards people, yet I am advocating the opposite position. Executives shouldn't be given a such huge powers of data mining and information distribution and ability shut powerless opposition and competition out. This is about preserving equal voice to all people, and preventing juggernauts from squashing it.

[M2Ys4U]

Privacy is a human right, and respecting it does not, in any way whatsoever, break the internet.

[wintermutestwin]

Specifically, Article 12 of the UDHR states:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

https://en.wikipedia.org/wiki/Universal_Declaration_of_Human...

Why isn't this Article at the forefront of any and all conversation re: privacy?

[rsj_hn]

UDHR is not a binding law, it is a "declaration". An aspirational statement of common understanding made by bureaucrats in a big conference in 1948, and is one of many such "declarations". Thus trying to cite a certain passage of this 70 year old declaration as if it had legal force today in any country on earth is a pretty odd thing to do. A declaration isn't even a treaty, and of course a treaty needs to be ratified to be in effect. So not only has the UNDR not been ratified by anyone, it can't be ratified as it is not even a treaty to begin with.

Now some nations may have decide to take some of the principles in this declaration and turn them into laws. But you will find that there is great variance in the human rights laws today even between, say, Canada and the U.S., or Mexico and Japan.

The fact of the matter is human rights are a social construct and they very much differ on what society your are in and what that society has decided are the rights it will observe. Looking around, we find very different definitions and intepretations of rights all around the world.

[M2Ys4U]

Additionally Article 8 of the European Convention on Human Rights[0]

>Everyone has the right to respect for his private and family life, his home and his correspondence.

>There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union[1]

>Everyone has the right to respect for his or her private and family life, home and communications.

and

>1. Everyone has the right to the protection of personal data concerning him or her.

>2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

>3. Compliance with these rules shall be subject to control by an independent authority.

Both of these documents are legally binding (the former on all member states of the Council of Europe,[2] and the latter on the EU and its member states)

[0] https://en.wikisource.org/wiki/European_Convention_for_the_P...

[1] https://www.europarl.europa.eu/charter/pdf/text_en.pdf

[2] https://en.wikipedia.org/wiki/Council_of_Europe

[quotemstr]

Who defines what "privacy" means? You? Why? Can you point me to the place where the Universal Declaration of Human Rights talks about cookies and FLoC? The UCHR is not a blank check for banning anything you want in the name of "privacy".

There are a lot of angry people in this thread stating what they want, but none have offered an argument for why we should structure society around their whims. Sorry, but "you shouldn't be able to collect information" isn't an argument. It's a wish. Nobody is under any obligation to indulge the wishes of random strangers.

[duckmysick]

There's nothing in the Universal Declaration of Human Rights about privacy regarding medical records, but various jurisdictions agree that it's worth protecting.

> Sorry, but "you shouldn't be able to collect information" isn't an argument.

How about "private entities shouldn't be able to collect my information without my explicit consent".

> It's a wish. Nobody is under any obligation to indulge the wishes of random strangers.

Yours included.

[freediver]

> How about "private entities shouldn't be able to collect my information without my explicit consent".

If the information is public, no consent is needed.

Privacy is about trusting someone with private information and expecting they will not do anything with it that you would not approve of.

[quotemstr]

> How about "private entities shouldn't be able to collect my information without my explicit consent"

Keeping a diary or a phone contact list would be forbidden under a strict reading of that rule. Even remembering the name of a person you met at a party would be forbidden unless you ask for explicit consent first. "Hey, Joe. Great to meet you. Mind if I make a mental note connecting your face to your name?" Real people don't think like this.

We all have a natural freedom to record facts we perceive in the world around them. Taken to its logical conclusion, privacy advocacy is about mandatory forgetting. No, thanks.

[cratermoon]

> what are the actual harms

The kind of question can only be asked by someone who has never been abused by a domestic partner, never been on the wrong end of debt collectors, the law, disgruntled employees, doxxers, or other real and persistent threats that are enabled by the data collection and aggregation that is the foundation of interest targeting.

[quotemstr]

Do abusive domestic partners, debt collectors, random employees, or angry doxxers have access to targeted advertising interest data? The "harm" you're discussing is hypothetical and extremely unlikely. I'm asking for concrete examples.

[morelisp]

Debt collectors are huge data broker clients. (And sellers too - junk debt can go both ways on these markets.) Disgruntled employees leak a fair bit too.

[cratermoon]

40% of police officer families experience domestic violence: https://www.theatlantic.com/national/archive/2014/09/police-...