Embattled users worn down by privacy options? Let them eat code
- Reference: 1728289814
- News link: https://www.theregister.co.uk/2024/10/07/cookie_opinion/
- Source link:
Brits hate how big tech handles their data, but can't be bothered to do much about it [1]READ MORE
Admittedly, the people here are the 40 percent of Brits who have never said no to a cookie in their lives. The rest of us can only feel smug if we've never clicked "Allow" to get into a site we don't care about and just need stuff from in a hurry. Those option boxes are there to protect us. They don't, and the laws that mandate them are an embarrassing failure.
Part of the problem is nothing seems to happen if you don't bother. Having your data privacy abused is like living in a house with faulty wiring. You know it's bad and you should do something about it, but it's always easier to put it off while nothing bad is happening. Then the bad thing happens.
You might not care that your car is snitching on you, until it catches fire and the maker refuses to take responsibility because you previously drove at [2]85 mph .
Taking your money without taking responsibility is a way of life for entire industries, and the more data they have on you the easier it is. They are far bigger than you and they've already got your cash, so good luck disagreeing.
[3]
Regulators and lawmakers recognized this power imbalance, which is one of the reasons behind things like the [4]EU cookie law – more properly, the ePrivacy Directive and GDPR. This has the very best of intentions, mandating that cookies are personal data and we own them. We get to make mandatory decisions from an informed viewpoint about the specific use of such things. Only we don't. The constant call for choice wearies us and becomes our enemy. The cookie fighter has become the cookie monster.
[5]
[6]
The issue is one of psychology, not technology. In the same way that companies construct terms and conditions to be as appetizing to read as creek mud is to gargle, they design cookie options to take too much attention to properly operate. They know the default action to any online irritant is to do whatever it takes to make it go away with the least expenditure of thought. The cumulative effect of thousands of the things is capitulation.
Organizations whose business models rely on screwing every drop of personal data out of you can and do spend all day every day finding new ways to skirt privacy directives. It is very difficult to legislate against constant annoyances, although the regulators try. One of the latest enterprising innovations is to use the cookie law option box to ask for money to opt out of cookies and trackers. This "Consent Or Pay" approach is, at first blush, and second, against the GDPR. Regulators do like to be fair, though, which is why the UK's Information Commissioner's Office (ICO) is having a [7]jolly good think about it .
[8]
Not that this matters if the cookie laws themselves are completely failing a large percentage of users and doing nothing much for the rest of us. The behavior of harassed humans isn't going to change, nor is the avarice of the bottom line. Regulators think in terms of behavior and practice, of stopping things that go wrong rather than innovating for improvement. Sometimes, however, you've got to go tech bro.
[9]Extracting vendor promises won't fix cybersecurity. Extracting teeth might
[10]AI to power the corporate Windows 11 refresh? Nobody's buying that
[11]China's quantum* crypto tech may be unhackable, but it's hardly a secret
[12]Upgrading Linux with Rust looks like a new challenge. It's one of our oldest
If people are easily worn down by repetition and misdirection, computers thrive on the first and are highly resistant to the second. If all cookie law option boxes were a standard format, so that it was easy for users to get the muscle memory to decline that stuff they didn't want, the story would change dramatically. They're not, of course, and given the variety of sites, as well as services and device display settings, it's not a practical option. Create a standard API, however, and those objections go away.
The user gets to configure their own default responses in the browser's privacy settings, and the cookie law option box disappears. Sites and services can ask to have their special cookies opted in, but the price to the users for not thinking about such options is zero.
Cookie-addicted businesses will hate this idea, but it's hard to construct a logical reason why it's a bad idea. It's entirely in the spirit of personal data protection, while being a small modification to an existing mechanism that's not working and needs to be fixed. The additional burden to site and service creators, and browser makers, is negligible. As APIs go, this is a bijou miniature compared to the complex monstrosities that enable all the online cleverness we know and love.
There are further advantages. As things stand, it's difficult to impossible to automate scanning for compliance of mandated data privacy options. With an API, we're off to the races. Even more intriguing, consider a landscape where publicly available compliance APIs are part of the armory of regulators and activists alive. That would focus a lot of minds in a healthy direction.
[13]
Computers are far better at following rules than humans. We might as well get them on our side. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2024/10/03/dsit_web_tracking_survey/
[2] https://www.carscoops.com/2024/07/toyota-wont-cover-gr-corolla-fire-damage-claims-tires-rated-below-85-mph/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZwOxQjK4FuHbq-6fef5a8QAAANY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.cookieyes.com/blog/cookie-law/#:~:text=The%20EU%20cookie%20law%20came,use%20of%20cookies%20on%20websites
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZwOxQjK4FuHbq-6fef5a8QAAANY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZwOxQjK4FuHbq-6fef5a8QAAANY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/call-for-views-on-consent-or-pay-business-models/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZwOxQjK4FuHbq-6fef5a8QAAANY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2024/09/30/security_opinion/
[10] https://www.theregister.com/2024/09/23/windows_11_ai_opinion/
[11] https://www.theregister.com/2024/09/16/opinion_column_quantum/
[12] https://www.theregister.com/2024/09/09/opinion_column_rust_linux/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZwOxQjK4FuHbq-6fef5a8QAAANY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
The user gets to configure their own default responses in the browser's privacy settings, and the cookie law option box disappears. Sites and services can ask to have their special cookies opted in, but the price to the users for not thinking about such options is zero.
I already have "Do not track" enabled on every device I own/use, it's a shame that honouring this is not mandated by law.
> it's hard to construct a logical reason why it's a bad idea
Neither google nor apple will implement it. Mozilla lacks the teeth to make their implementation matter.
If it's a law, it doesn't matter if Google or Apple don't like it...
Only if the ICO actually deigns to enforce it.
The real problem is that enforcement isn't happening. Every single one of the "annoying" cookie popups is flat illegal. Every single one of the "pay or track" demands is illegal.
There are any number of mid-sized targets, prosecute them. Then prosecute the big ones, and the small ones will fall into line of their own accord.
And yet, it took how many years for Ireland to ask for the tax they're due, and they even fought against it - presumably because certain high-up politicians and civil servants wanted the revolving door to keep revolving.
Just like [1]PICS , only IE implemented it and website owners couldn't be bothered to categorise their sites.
And this is even more doomed to failure because the whole of the advertising industrial complex is propped up on cookies and won't do anything that could prejudice its own profits (certainly not the "right thing"), unless it's written in law* and in that case it'll lobby, scream, and shout, and implement it in bad faith.
* By the EU of course.
[1] https://en.wikipedia.org/wiki/Platform_for_Internet_Content_Selection
yes, yes and thrice, yes!
which is why I've suggested (for ages and ineffectually) that we should lobby EU legislators to standardise the form, which should incorporate mandatory easy (one click) opt-out of all cookies and a separate but mandatory (one click) opt out of all 'legitimate' interest options. Being a standard specification it should also allow sites to silently take your preference and go with that. Sites should also have to display a menu option in a top level menu for adjusting privacy choices either after their default has been silently adopted by the site or they have made an explicit choice they'd like to adjust.
I like the API twist mentioned in the article though.
Re: yes, yes and thrice, yes!
Of course this should have been standardized in a protocol like HTTP, TLS, HTML, CSS, etc. It should be a browser setting and websites can dump 90% of their javascript that is dealing with ads, consent, and other legal crap. What I hope though is that if this is legislated, it will not legislate cookies, but legislate banning tracking and selling your data, which is the real problem. Cookies are just one of the many technical means to track you. We would not like ad companies in use other sneaky ways that are not cookies, but still track you and sell your data without you knowing.
Re: yes, yes and thrice, yes!
but I think you'll find that all 138 companies listed will have "legitimate interest" - they are all making money out of you - so all need to be individually listed in a helpful, easy to click series of check buttons for the user to consent to individually ... GDPR was never about actual user control, it was only about the appearance of user control because data makes money, money makes tax ... so there is no interest to actually stop that data flow.
What really annoys me...
Sites claiming Google Analytics is a necessary cookie.
Legitimate interest options you have to scroll and unselect every single one of them.
Sites where opting out is required on every visit (or for a few, every page) but opting in is once and done. Can we have a cookie for tracking our cookie choices we can opt into (or is designated necessary)?
I don't worry about cookies. Because they are all reset when the browser exits. Maybe legislate to make that the default.
Unfortunately for me, and luckily for the websites, I'm usually in a bit of a hurry to find information, and didn't want to consent to anything first. So when I get the cookie popup (and I don't always, because I use Consent-o-matic too), I worry that if I click Don't Accept, it won't remember that I said no, and will ask me permission next time I go to that site, so I often click 'Accept'. And yet I still get the popup.
Especially in Facebook on my mobile, where facebook's own browser is awful, and it asks me every time anyway.
I don't see what good any of this does. My browsing history is still tracked.
It's a great idea but here are already browser add-ons that deal with the majority of cookie-consent pop-ups that I get and a box to tick if they don't so they can update their database. I use Consent-O-Matic (recommended by a denizen of this forum who's name I can't remember, but thanks) but others are available.