Hacker News new | ask | show | jobs
by z_ack 1027 days ago
I did an experiment: I deleted all the cookies using privacy settings of my browser then I avoid to click anything about cookies' authorisation, i.e. if a page present that kind of requests I immediately close the page itself. At the and, I verified that cookies are presente on browser's storage despite my absence of authorisation, even third parties cookies. So, yes, I agree: commercial surveillance is creepy and I guess is some organisation do effective control to avoid abuse from those actors.
4 comments
IAmNotAFix 1027 days ago
Only tracking cookies require consent. Cookies could be about the last time you saw the website's weather content, in which case it's purely functional and need no consent.
link
krono 1027 days ago
Not all places in the world share the same set of laws or jurisprudence. What's allowed or required and what isn't is entirely dependent on the jurisdiction(s) the website operators are beholden to.
link
z_ack 1027 days ago
Are you sure of that ? I knew that the competent jurisprudence or "forum" is that of the user, or everyone could circumvent the law using "offshore" companies to track people in regulated countries (i.e. EU). I was reading here on HN that , for that reason ( avoid EU Regulation ) sites like New York Times, blocked the availability of their contents in whole EU. I was checking, see here, for example: https://reutersinstitute.politics.ox.ac.uk/news/many-eu-visi...
link
krono 1026 days ago
Insofar as what the jurisdictions the website operators are beholden to or perhaps care about have to say about it, but otherwise I (not a laywer) share your perspective.
link
BiteCode_dev 1027 days ago
Third party cookies are usually for tracking though.
link
friendzis 1027 days ago
No. Unless you have other lawful grounds of processing, all functional cookies still have to be session scoped at worst
link
mcpackieh 1027 days ago
Strictly necessary cookies do not have to be session cookies. If you read https://gdpr.eu/cookies/ it says they generally will be session cookies, not that they must be. If you think it is appropriate for your users to be already logged in the next time they run their web browser, using a persistent cookie for that is permitted.
link
friendzis 1027 days ago
Yes, they can become persistent once you get consent or other grounds. You probably get that consent in registration form and "recall" it on login. Otherwise you process data from across sessions, which is a huge red flag.
link
mcpackieh 1026 days ago
Wrong, you don't need consent for these kind of cookies.
link
Swizec 1027 days ago
> I avoid to click anything about cookies' authorisation, i.e. if a page present that kind of requests I immediately close the page itself. At the and, I verified that cookies are presente on browser's storage

I have recently had to implement some of these banners. Here’s what I learned: click reject.

The way America’s version of the cookie banner law (not sure about EU) works is that cookies are default allowed. They are set before the banner even shows. Rejecting the cookies then sets a cookie that you’d like cookies rejected. The cookies remain, but the banner’s scripts block tracking requests based on those cookies on subsequent requests.

So if a site uses GA and you reject cookies, you still get and keep a GA cookie. But the cookie banner later turns GA’s javascript into “text/plain” so your browser doesn’t execute it. This is what [at least some of] the banners mean by “reject cookies”.

Yes it’s stupid and confusing. Possibly on purpose.

link
BiteCode_dev 1027 days ago
In Europe at least, the law doesn't forbid cookies or mandate banners. It's about tracking and informed consent. It turns out companies love tracking, massively use cookies for this, and chose obnoxious cookie banner dark patterns to request consent.

But there is not such thing as a "cookie banner law".

link
Swizec 1027 days ago
> But there is not such thing as a "cookie banner law"

A law that leads to cookie banners -> cookie banner law. We all know exactly what I meant.

But yes on my personal site I solved the problem by not tracking visitors because there’s no need. General traffic numbers are good enough for me.

link
ndriscoll 1027 days ago
More importantly, use a malware blocker like ublock origin.
link
BurningFrog 1027 days ago
This could easily be automated and the results published.
link
hedora 1027 days ago
Even better, there could be a list of garbage cookies that this experiment produces.

As an anti-tracking measure, Firefox could put them into a global pool (shared with all other users), then randomly sample from the pool whenever making a request to the offending site.

The effect would be severe breakage for any sites that set unauthorized cookies.

link
mixedmath 1027 days ago
Where would one publish such an experiment?
link
gruez 1027 days ago
>I verified that cookies are presente on browser's storage despite my absence of authorisation

That doesn't say much. Even the GDPR allows for some cookies to be stored without consent.

>Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

https://gdpr.eu/cookies/

link