Hacker News new | ask | show | jobs
by Garvi 1081 days ago
Blaming cookies for tracking people is like blaming a bullet for a murder. It's the trackers installed on pretty much every single website that are the thing that tracks people, using cookies of course. The Google analytics or Facebook pixels, to name the top two offenders.

I don't see how this relates to GDPR. Please explain.
1 comments
jkaplowitz 1081 days ago
> Blaming cookies for tracking people is like blaming a bullet for a murder. It's the trackers installed on pretty much every single website that are the thing that tracks people, using cookies of course. The Google analytics or Facebook pixels, to name the top two offenders.

Yes. I agreed that the cookie law is partly dumb. The part of the cookie law that’s dumb is that it’s too narrowly scoped and should apply to all tracking technologies and techniques, for whichever purposes and vendors are or aren’t okay with the user. And it needs a systematic way for user-specified defaults across all websites, instead of leaving that to browser extensions.

Ideally this would be opt-in rather than opt-out for privacy reasons, but I do understand the valid argument that the subset of people who would explicitly opt in to tracking are not representative of the whole user population.

Probably the best balance of hassle vs privacy vs statistical validity is to require the major browsers to force a one-time explicit choice per purpose and/or per vendor without dark patterns involved, save those as defaults that get sent to the sites in a way that is legally mandatory for sites to respect, and allow per-site overrides using the same mechanism - instead of the current mess of shady consent pop-ups.

> I don’t see how this relates to GDPR. Please explain.

Both have more user-friendly requirements than people expect, both are widely violated in user-hostile ways, both are rarely enforced by regulators, and what rare enforcement does exist is slow, often reluctant, and with inadequate fines to change industry norms and sometimes not even much of the behavior of the fined company. They’re separate laws but with the same practical enforcement / incentive problems.

link
sarnowski 1081 days ago
> The part of the cookie law that’s dumb is that it’s too narrowly scoped and should apply to all tracking technologies and techniques, for whichever purposes and vendors are or aren’t okay with the user.

A recent definition of the German authorities clarifies that with „cookies“, they don’t interpret it narrowly as the specific browser technology but any kind of beacon or mechanism for tracking[0]:

> Gemeint ist damit beispielsweise der Einsatz von Cookies und anderen Technologien wie LocalStorage, Web Storage, das Auslesen von Werbe- und Geräte-IDs, Seriennummern, aber auch der Einsatz von ETags oder TLS-Session-IDs zum Zwecke des Trackings, Fingerprinting (z.B. durch das Auslesen von installierten Schriften oder Anwendungen) und vieles mehr. Der Einfachheit halber wird das im Folgenden i.d.R. unter dem verkürzenden Begriff „Cookies“ zusammengefasst.

They name as explicit examples not only cookies but LocalStorage, Web Storage, reading of any kind of serial numbers, ETags, TLS Session IDs (if used for tracking), and any other method for fingerprinting such as font profiling.

[0] https://www.baden-wuerttemberg.datenschutz.de/faq-zu-cookies...

link
mananaysiempre 1081 days ago
> A recent definition of the German authorities clarifies that with „cookies“, they don’t interpret it narrowly as the specific browser technology but any kind of beacon or mechanism for tracking[:] LocalStorage, Web Storage, reading of any kind of serial numbers, ETags, TLS Session IDs (if used for tracking), and any other method for fingerprinting such as font profiling.

To be fair, even the original wording[1] isn’t specific to cookies, only to client-side storage or code—which is also not the precise cause of the problem, but includes all the things you’ve listed:

> (24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

> (25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. [...] Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

(Emphasis mine.)

Interesting that this also uses the phrase “legitimate purpose”, but in a much broader sense to what the GDPR will eventually use. I did not realize that.

[1] https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...

link
jkaplowitz 1081 days ago
That’s a good approach! I hope it becomes accepted across the EU. Still, it does seem to restrict the applicability of the ePrivacy Directive (aka the cookie law) to ones which use storage on the end user’s device, based on how that law was worded. The GDPR can of course still apply to other forms of tracking as long as they involve processing personal data.
link
Garvi 1081 days ago
> Ideally this would be opt-in rather than opt-out for privacy reasons

As long as it's about cookies, the law is nonsense. Asking laypeople to "opt-in to tracking" so they can log into a website would render most websites inoperable.

> They’re separate laws but with the same practical enforcement / incentive problems.

I disagree with this. The cookie law popups pretend to ask users whether they consent to being tracked or not. Which is entirely misleading. With GDPR the pressure is on the companies to disclose what data they are collecting on you and give you the option of deleting it.

> Both have more user-friendly requirements than people expect, both are widely violated in user-hostile ways, both are rarely enforced by regulators, and what rare enforcement does exist is slow, often reluctant, and with inadequate fines to change industry behavior.

If I understand you correctly, you're saying the main downside to GDPR is it's not properly enforced. I agree with that.

link
jkaplowitz 1081 days ago
Neither the GDPR nor the ePrivacy Directive (cookie law) requires consent for cookies that are technically necessary to operate a website, including those to reflect a user-initiated login action. This is separate from consent to tracking for advertising, marketing, and analytics purposes.

The cookie law doesn’t pretend to require consent for non-essential cookies placed on end user decides - it does require that consent. But, yeah many of the popups handle this in misleading ways where the verb “pretend” is quite accurate. This is exactly the same problem of under enforcement and misaligned incentives that limits the effectiveness of the GDPR, even though the two laws have different scopes and requirements.

Yes, you correctly understood the GDPR downside I was describing.

link