It’s great satire, but it really does mirror a larger societal shift where the burden of safeguarding personal autonomy has shifted from institutions/regulators to individual users. Do-Not-Stab, Do-Not-Track, whatever it might be, any sort of “voluntary compliance” is a non-starter in the face of financial pressures
IMO we need to start normalizing being militant about this stuff again, to aggressively and adversarially defend the freedom to use your computer the way you choose to use it
It's amusing to see this message heavily upvoted on HN when most mentions of Firefox here are welcomed with an avalanche of perfect solution fallacies.
I'm dubious about people becoming militant about this when the software engineering industry gave Chrome a red carpet by using it and installing it on their relatives' computers while knowing very well it's adware and when switching to the alternative is incredibly cheap.
I think we shouldn't minimize the harm Chrome does by calling it adware. It monitors all your activity for Google to tie it to your identity, who then publish your demographics, preferences, history, and mental state on the global markets.
Let's call it what it is: a brain tap.
For most of it you can just go to the customer facing part of ad services and see these as distinct chooseable options, for mental state you could hand wave it away as "do we really know the mental state of someone who closely followed political news and has been searching for air tickets and migration processes since Nov 6?"
No vibes and there is voluminous evidence, eg many links here: https://spreadprivacy.com/how-does-google-track-me-even-when... as well as Google Takeout itself. Oh and I forgot location data and shopping records, those are huge. So the collected data about you are well documented.
Given the data, why would a trillion dollar company leave money on the table? Their shareholders DEMAND they monetize it. There are few forces against this.
Given the 2.095 trillion reasons why this should happen, and few reasons it shouldn't, you should demand evidence it DOESN'T happen. Presumption of innocence is backwards when there are market forces.
Chrome had the advantage for a long term because their dev tools were just so much better than Firebug in both features and performance. Even today, I can't pinpoint it to specific things because it's (relatively) little and subtle differences, but Chrome's dev tools feel way more polished than Firefox's.
It's almost as if Steve Ballmer and the legendary "developers developers developers" speech still rings true today - the key to getting people to use your software is to make life as easy for the power users as possible, let them spread the word. And it's ironic how Microsoft lost its ways there... a lot of people I know have gone from Windows to Mac and convinced their close relationships (aka those whose computers they fix) to do the same. It's just so much more relaxing to boot into an OS that doesn't try to shove advertising down your throat at every turn.
Personally I disagree. IMO, devtools were better when competing with firebug, but I haven't experienced much of a difference in the past... 8? years. Something like that.
> Chrome had the advantage for a long term because their dev tools were just so much better than Firebug in both features and performance. Even today, I can't pinpoint it to specific things because it's (relatively) little and subtle differences, but Chrome's dev tools feel way more polished than Firefox's.
My point exactly! You're talking about which browser to use for web development. That's not relevant for engineers not touching html/js/css, and for all non tech savvy family members whose computers we set up.
Interesting, in my murky memory Chrome's developer tools were at most "quite decent" but for a long period of time could hardly compete with Firefox's, maybe even with mere Firebug. It it true that in total "feature count" Chrome most probably leads now, and especially recently they seem to adapt features that used to be Firefox exclusive in remarkably increasing rate. But I really do not remember being blown away by Chrome's devtools, like, ever, actually. Even today I pretty much prefer Firefox Developer Tools over Chrome's, because they mostly has more features I actually need and also feel way less cluttered. Most of the times I need to do anything with Chrome's devtools it takes me just a little moment to stumble upon some missing detail I am used to (for example overflow/layout/event listeners badges directly in the DOM inspector tree) or to be mildly offended by unfamiliar (or missing) keybinding, or confusing layout. There are quite a few features In Chrome that I'd like to see in Firefox (command palette for example), but still prefer "living" in Fx albeit without them.
Yes, al subjective, biased and anecdotal, but wanted to leave one real (yet still virtual) vote in favour of Firefox's Developer Tools here.
> It's amusing to see this message heavily upvoted on HN when most mentions of Firefox here are welcomed with an avalanche of perfect solution fallacies.
HN is not a hive mind. There are people here who love Firefox, people who despite it, and everyone in between. It’s tiring to always be reading your type of comment, as if everyone is a hypocrite. Maybe, just maybe, the people making those contradictory comments are not the same individuals.
And it’s not like Mozilla is free from controversies, including several of betraying user trust. If every major browser maker is going to break your trust and sell your data, I can see why people choose their poison based on other factors.
I use neither Firefox nor Chrome. Is Safari any better? Or Brave? In some areas yes, in others no. I don’t think there’s a single browser vendor which gets it unambiguously right.
> HN is not a hive mind. There are people here who love Firefox, people who despite it, and everyone in between. It’s tiring to always be reading your type of comment, as if everyone is a hypocrite. Maybe, just maybe, the people making those contradictory comments are not the same individuals.
I didn't mean to say that all of HN despises Firefox, but simply that it very often brings negative sentiments, so seeing the comment I was responding to so high up in the thread made me react. It was also a kind reminder that militating is as simple as using an alternative to Chrome.
> And it’s not like Mozilla is free from controversies, including several of betraying user trust. If every major browser maker is going to break your trust and sell your data, I can see why people choose their poison based on other factors.
> I use neither Firefox nor Chrome. Is Safari any better? Or Brave? In some areas yes, in others no. I don’t think there’s a single browser vendor which gets it unambiguously right.
And you're making my point about the perfect solution fallacy as well! Of course Firefox isn't perfect and has screwed up on several occasions, does that mean it's comparable to a piece of software that sends every single bit of information it can gather to its parent ad company?
> but simply that it very often brings negative sentiments
Just as often as it brings positive sentiments. Something that is (from anecdotal observation) quite common from both camps on HN is disappointment with Mozilla’s governance.
> does that mean it's comparable to a piece of software that sends every single bit of information it can gather to its parent ad company?
Not the argument I made. As I said, I use neither.
Mozilla would be the first to request permission to stab you so that they can then analyze the blood of the knife in order to make future product decisions.
> IMO we need to start normalizing being militant about this stuff again, to aggressively and adversarially defend the freedom to use your computer the way you choose to use it
Yes. As a millennial the times of civil disobedience was better. Not only did we get a better internet for consumers, but better companies were rewarded and won. Rose tinted glasses? Possibly, but there’s another reason for disobedience: the other side does it, and they do it just for money.
Concretely, is there something like Adblock that can be done for cookies? I don’t think blocking is as effective as poisoned data though. They ask for data, they should get it. If you don’t get consent, poisoned data is merely malicious compliance.
It could even be standardized as an extension to DNT: “if asking for consent after a DNT header, a UA MAY generate arbitrary synthetic data”.
Use ublock origin with the "Cookie notices" custom lists. Not explicitely accepting cookies is legally the same as refusing them (now, whether websites actually respect that is the opening keynote of the Naiveté conference)
> Concretely, is there something like Adblock that can be done for cookies?
I use a combination of two browser extensions: Cookie AutoDelete[0] and I don't care about cookies[1]. The second hides any GDPR 'compliance' popup; the first deletes any cookies set by a website when you close the last tab with it open. Both extensions have whitelist functionality.
ublock origin now has specific filters for cookie popups, you just need to turn them on in the filter lists. I'd say this is probably preferential to downloading another addon (that already had a scare with being sold off)
I like to use Consent-o-Matic[1] for this. IDCAC accepts tracking when ignoring the request doesn't work. CoM rejects all tracking on those popups. I like the slight Fuck Off that that sends.
> aggressively and adversarially defend the freedom to use your computer the way you choose to use it
Sadly even if you’re inclined to do this, it’s always a war of attrition, and corporations seem to realize they can just up the cost of your resistance in terms of time/frustration, and that’s enough for them to win in the long term. The history and trajectory of platforms, from browsers to AppStore’s to SaaS-all-the-things, is just tragic, with the amount of user control on a downward slide at each stage. The big question now is whether / how / to what extent AI is going to be corporate or democratized, but it’s hard to be optimistic.
Or, you know, if Clicking do-not-stab for 60 more years sounds like it sucks, you can try to become a shepherd or something. Works great for ~10 years, and then you can’t use cars, dishwashers or light switches without clicking do-not-stab, at which point they finally win and you say, you know what? I should be grateful they asked before they stabbed me, I practically owe it to them anyway, and I can’t wait to see all the love/cash rolling in after I’m a big shot shepherd influencer. Like and subscribe y’all and as always, hail corporate
Worth noting the times where you have the choice to engage or not with a company with bad practices. Make it unprofitable for them to provide horrible service. Particularly applicable to tech, because most of it is useless rubbish we don't really need anyway!
Is this a case where monopoly actually benefits the cause? The last great uprising in the public interest, imo, was Microsoft against the open source movements at the turn of the century. It was a heady time to be involved in software. I miss it frankly.
But perhaps it really only succeeded, because that Microsoft was like the Boeing of today, a company where Pournelles second type (the institutionalists) had taken over and was just riding out the momentum, allowing the upstart unfunded open source hippies to actually have success.
I'm registering my elderly relatives for dmachoice.org, to prevent them from getting junk mail. These clowns create the problem and then have the audacity to charge you to be added to the opt out list. I was really skeptical about the GDPR when it was passed and I am now fully on board for an American version.
I'm still extremely skeptical of it because in practice it basically added a cookie banner to every every website I visit infrequently with no particular benefit to me.
Most EU national government websites have cookie banners. Even the European Commission website has a cookie banner!
This should have been implemented at the browser level. Let the browser generate a nice consistent UI to nag EU users when visiting websites about accepting cookies and let the rest of us opt out.
The standard for cookies should be updated with a way to include or retrieve a description of each cookie separately. Then, require sites to provide that description, and let users choose per cookie in the browser.
That's nonsense. It's not about the cookies, it's about the data collection. You can use cookies without having to use a cookie banner by simply not gathering data you don't need. And if you do gather that data without using cookies you still need to ask for consent.
I can tell you, with absolute certainty, that nobody knows how to implement the law or what it even means, legislators, lawyers, engineers alike. There was a good somewhere and now we're in hell.
Nah, companies don't want to implement it as it's bad for their business model so they feign ignorance.
I still remember being at an all hands at a former employer where the team presenting the revised cookie banners promoted as a benefit that it had opt in rates that would make an authoritarian dictator embarrassed to claim as uninfluenced
As someone who was helping to implement GDPR for clients when it took effect, it was a nightmare. We didn’t know exactly what to do, or when, or where, or to whom. The easiest solution for a lot of the implantations was “do the most so we don’t miss something, and pull back bits as we know more”.
You're right in the sense that it tends to be hard to understand things when your salary depends on you not understanding them. This seems to describe most web developers from the number of non-compliant consent popups in the wild.
If your claim is that sites that use cookie banners don't understand the law, I don't know how we square that claim with the European Commission site's cookie banner. Certainly, the government itself can interpret the law successfully, right?
That would be horrendous and would play right into the advertiser's hands which want you to "just click accept".
Cookies should be categorised as essential and non-essential and the website should specify which laws it is considering when it categorises them as such. The GDPR definition of "legitimate interest" (which is a bit vague but it's not that hard to understand it) should be explicitly clarified so that companies can't claim that a whole swathe of shit they opted you into automatically is "legitimate interest" if they also give you the option to opt out.
At this point they can still attach descriptions to each cookie (hopefully using some standardised interface so you don't have to literally send these with every cookie, localized) and then your browser can still present you with the idiotic: "here's what we would like you to use" interface, but streamline the process with the ability to just opt out of anything which won't outright break the website.
Although this still opens it up for abuse by companies putting things like: "your preference for us not popping up an annoying full-page message every time you visit a new page" into a "non-essential" cookie to incentivise you to just accept them all.
Honestly I think we should just have Joe "Sensible Person" judge company's websites for whether they're being actively malicious in any way and force the closure of any company which is considered actively malicious along with the destruction of all company IP and liquidation of non-IP assets. All the company owners should also be banned from owning/running any other company for 10 years. (only half kidding)
As someone who has worked on the Danish public sector I have a slightly different take on the public websites. They should never have been using things like 3rd party analytics to begin with.
I understand it’s was media and communication departments do, and that it’s natural that the people working within them would want to do so regardless of where they work. It’s their trade after all, unfortunately they bring the exact same “user engagement” mindset with them into the public sector. Well, at least in my anecdotal experience with a handful of these departments in 7-8 different cities around here. You can of course make good points on user metrics on a public website, but they should frankly work very different than they would on most web sites. On a public website it should be the goal to get to user to leave the site as quickly as possible, because the longer they hang around the more time they are spending finding what they need. That’s not what happens with these metrics in my experience, however, instead they are used to do what you might do on a news site.
That’s just one side of it, however, because the privacy concerns are their own issue. If you absolutely want metrics on a public website at least have the courtesy to build your own. It should be illegal for public web sites to use 3rd party tracking. I know why they use it, it’s for the same reason they spend a ridiculous amount of money on custom designs systems build on top of what is usually SharePoint or Umbraco. They refuse to hire the Django (insert any other extremely low maintenance system) expertise because it’s expensive on the “long term budget”, even though it would be much cheaper than 3rd party tools and consultants on the actual long term budget. Anyway, that is another point. But it really pisses me off when public websites need you to allow 3rd party tracking because they aren’t using it in any way which serves the public.
Worst of all is that cookie banners are explicitly a private industry way of dealing with their refusal to respect “do-not-stab”. Public websites could simply put their bullshit into their privacy page. Of course nobody would go there and turn on 3rd party cookies, but why should the public care?
The cookie banner is there to punish people who have cookies turned off or set to be deleted upon browser/tab close - and generally annoy everyone else.
Think about how obsessive companies are about "UX" and how disruptive the banner is. Bitch-slapping people for fighting against tracking is more important to them than the user being able to access or use the site at all.
Obviously, because in our digital economy, users are cattle. Companies are obsessive about UX so the users shut up and eat grass and allow themselves to be milked or sheared. Refusing to participate? A cow that eats grass but doesn't let itself be milked gets shot, so in some sense maybe we should be grateful for the bitch-slapping...
Or if the legal department is concerned that someone could claim a cookie is non-functional, so to save the uncertainty and expense they advise always showing the banner. Especially since everyone else does.
It seems like there should be a parallel to “tragedy of the commons” that talks about how a good idea coupled with extreme penalties can lead to a bad outcome by making any risk calculation result in “jesus we just can’t take any chances here”.
nobody cared about their privacy because there was no widespread systematic effort to invade it.
I don't care about my privacy in the street despite it being public because there's no-one following my every step taking note of where I go, how fast, what music I'm listening to, what I'm looking at... (although the astute reader will argue that this is less and less true, there's more and more tech tracking our activity in real life too)
The only hope I still have is for some kind of fully local LLM-driven "agent" browser that does the browsing for me, navigating search engines, cookie banners and showing me what it found, nothing else.
Unfortunately entire businesses are built around preventing people from using bots, for obvious reasons, so the only obvious way forward to make browsing the web a better experience will also mean ending up on the wrong side of that battle.
> ... "it basically added a cookie banner to every every website I visit" ...
Yeah, no. Hostile advertising companies added that cookie banner as a form of "malicious compliance" with the law purely to annoy everyone like a buncha spoil't little brats who didn't get their way, so now they're gonna make everyone suffer... If we get a similar law in the USA, you can expect to see annoyances just like it (and probably worse) on sites hosted here, too.
The worst part is that it wasn’t even malicious compliance: the cookie banners they added seldom even satisfied law, in ways completely obvious if you just read the law (which is pretty easy reading, only a few thousand words for the relevant parts). I don’t understand why relevant commissions didn’t make more noise about that, because it was obvious that major players were deliberately poisoning public perception.
Can you source your claim? Because it seems like it would create a competitive advantage for a non-hostile advertising company. Websites aren’t any happier about cookie banners than users are. If it’s just an emotional, spiteful reaction, the grownups should be able to make a fortune.
You'd think there'd be some "competitive advantage" to be had, but when their entire industry is built upon tracking and profiling everyone they possibly can, they'll do anything they can, fighting tooth-and-nail to the very end against any legislation that somehow interferes with their tracking, even if it means resorting to childish and petty temper tantrums that further enshittify the web. What little "competition" exists in that industry all fully believe that building massive profiles on everyone is the only way to make any money at advertising. They've been allowed to get away with it for so long that they can't even remember there was a time when tracking everyone all the time everywhere wasn't even a thing (and yet advertisers still managed to advertise back then, somehow)...
Actually I thought I was clear in my framing that, if site owners are unhappy with cookie banners, it is unlikely that a conspiracy of ad networks would force them to accept the nuisance.
The claim is that no sites value their user experience enough to pick an ad solution with a better experience. I doubt that claim.
When GDPR was first going through the public circuit I remember reading the proposed laws and being pleasantly surprised to find that they specifically called out and forbade the likely workarounds, including the obnoxious banners we now see everywhere.
I would love to know what happened. Did the laws get "revised" to re-open the loophole? Was superseding legislation passed? Did the courts reject it? Are there enforcement issues?
That sounds like a legal minefield - I would point out that GDPR-style legislation exists because the legislators don't trust the industry to assess what is reasonable. So the industry would be in a position where:
1) They aren't trusted to be reasonable about user consent.
2) They are only to take action when they judge it is reasonable to check user consent.
It'd probably be a very rocky process to nail down what those words like "loophole" and "workaround" mean as the advertisers start abusing prescribed no-banner situations.
Cookie banners are malicious compliance and the failure to do anything about them is indicative as to how much the EU cares about privacy vs how much they want to be seen to be caring about privacy.
Clearly you don't have a browser plugin that simply opts out of all cookie banners. Ultimately, the webs ites have a financial interest in malicious compliance, so you either work within the system as given or throw your hands in the air and let every and all sites rape your data.
It is, however worth at least considering restrictions on continuously following a person in public places and reporting all their observed activities to a third party.
Of course there are practical limitations on that kind of physical surveillance. It's expensive, tends to attract attention, and even nation states can only do it to a few people at a time. Information technology allows it to scale to almost everyone, almost all the time, for a small fraction of a corporate budget.
Perhaps it's worth at least considering restrictions on that.
> It is, however worth at least considering restrictions on continuously following a person in public places and reporting all their observed activities to a third party.
I don’t see any difference between online “tracking” and real world stalking. If some one was following you every where you went taking notes on everything you did, interrupting you and preventing you from actually doing what your were actually wanting to do, you’d be able to have the police intercede in your behalf. Only now we think it is different because “on a computer”.???
OK but that's the sites themselves doing it. If every shop puts an annoying greeter on the door or something, that's not something you would call the police about.
You are the culmination of your life's experiences. Going by your definition, one could infer an individual has zero intrinsic ownership of any non-health data. Which I categorically object to.
You have ownership over your own memories and records.
Other people also own their own memories and records - some of which may be about you.
At least, this is how it was for most of human history.
Now some people think they should be able to demand everyone destroy records about them. If it was possible, no doubt they'd also demand people destroy any memories about them as well.
ePD in 2002 mandated cookie banners well before GDPR in 2018. But yes, point taken that well intentioned regulation can be poorly implemented and have negative repercussions.
I know of no regulation that mandated cookie banners. I just know a lot of sites who chose to use banners because the operators are somewhere between weasely and malicous.
I wonder if there is some way to DoS the tracking services by basically accepting third party cookies but then immediately discarding them so every page load generates a new cookie and presumably state stored on the other end to match it. Or are these tracking cookies typically self-contained so that no state is stored server-side?
Yeah and the fuss about it being enabled by default is not really relevant. In the EU tracking must be opt-in anyway. So this is expected behaviour.
However the EU dropped the ball by not making it mandatory to respect this flag. If they had we wouldn't have had the huge cookiewall mess we have now.
The annoying thing is that they have regulations in trilogue that would actually make the DNT header obligatory to follow, the ePrivacy Regulation. That was supposed to drop alongside GDPR, but has instead been delayed for 6 years now. It's apparently supposed to be finally finalized somewhere in 2024, so I hope to see it sometime soon.
> larger societal shift where the burden of safeguarding personal autonomy has shifted from institutions/regulators to individual users.
If anything the shift is going the other way, with some of the more busy-body jurisdictions trying to take things that are properly enforced by the user's user-agent and instead making them officially the responsibility of the other party.
On the internet, it started as the user's responsibility.
For netizens, the idea that the use should be able to opt out of logs about their interaction with the service the operator owns is novel (because they always had the option of not using the service if they found the pattern distasteful).
There's a bit of a difference between normal logging of access to services to protect your devices / network (and to understand your users' access to your services), and using every nasty trick in the book to build extensive detailed profiles of everyone's browsing footprint across the entire web, often without their knowledge or consent (hence the laws, because it's the only way to convince some folks to not do bad things). The first should be expected behavior, whereas the second should be considered unacceptable and abusive, but has somehow been "normalized" in modern society.
The internet started with decentralized protocols like NNTP, so you could just choose a different news server if the one you were using started tracking + selling your download logs.
Centralizing the serving of third party (or even first party) content is already way outside the original norms of the internet.
Heck, back in the day, HTTP caching would be enough to block tracking. (No javascript, and only the ISP sees which users pulled the document from cache.)
The internet/arpanet started largely with centralized protocols like various file transfer protocols, telnet, finger, various networked filesystem protocols, network printer protocols, network graphics protocols, echo, QOTD, etc.
It's important to note that the Do-Not-Stab header has been deprecated because one browser engine switched it on by default and requiring users to opt into stabbing hurt the bottom line of the stabbing industry, so it's no longer respected. Luckily someone came up with General Assault Control, a non-standard alternative, which also only has one value, so you can set Sec-GAC to 1 to request websites not to assault you. By design, this header cannot be extended, so it cannot be used to distinguish brutal stabbings from a comedic pie to the face in the future.
Because of legal requirements, the General Assault Control header may not be enabled by default, as American states like Colorado require explicit opt-out (rather than explicit opt-in). This protects Colorado's thriving stabbing and shooting industry as most users will never want to opt into being stabbed.
Despite the feature being forced to be disabled by default, the organisation behind the spec is pushing hard for customers to download fringe browsers that implement the feature (though you may need about:config to enable it). Because of the small user base, the request not to be assaulted can be used by websites not willing to follow the standard to make their stabbings and shootings more precise. End users can request a JSON file from the web server containing the supposed support for the GAC header, but requesting this URL may be used to kick the user in the teeth by non compliant servers.
It's now customary, in order to comply with European regulations, to present users with a list of possible violent crimes against their person that they can opt out of before using a website. This ensures that non-consent to stabbing is always an active choice, so that users who want to be stabbed or otherwise maimed won't accidentally miss out on the opportunity.
You can put a window that covers the bottom half of the content the defaults to all assaults being allowed also has a way to customize which assaults you would like. It shouldn't be possible to uncheck necessary assaults for the website might not work.
And “by not work” we mean “will work exactly as it should, but little Timmy in marketing will get a frowny face and won’t go out for drinks on Friday, so you have to tick it”.
This is such transparent EU Bureaucracy shilling. No wonder Europe doesn't have any large SaaS companies with their stabbing unfriendly business climate.
The stabtech industry will just change to Stab-Into-The-Back technology, because every user hates to be stabbed in the chest, but doesn't care if it's not seen.
I think you are factually wrong: Skype, Spotify, Revolut, Zendesk, Transferwise... There are quite many European unicorns too (less though than US and Chinese companies) which are operating as SaaS. Some of them got acquired or re-based to other countries though
This website appears to be part of a webring (how delightful!) made up of MtF trans people, furries, self-identified robots (some of which exclusively use third person pronouns) and sometimes a mixture of these. All appear to be some form of sysadmin or programmer.
This isn't my tribe, but I'm incredibly pleased to see a beautiful reflection of the old internet within this webring.
For the low price of $20/1000 clicks, I will provide you with a stabbing consent banner, fully compliant with upcoming EU and CA regulations on web-based stabbing.
I'm sold, the distinctions between "necessary", "targeting", "performance" and "functional" stabbings are such a minefield. Not to mention how I'm supposed to properly disclose the 846 different stabbing brokers I work with. How's a man supposed to make a living stabbing people with all of this red tape in the way?
By the way, studies show users only opt in to stabbing with our competitors banner 95% of the time, but they opt in with ours 98% of the time, thanks to our banner taking 50% longer to properly opt out of, so you should really go with us.
The Do Not Track header was originally proposed in 2009 by researchers Christopher Soghoian and Sid Stamm.[2] Mozilla Firefox became the first browser to implement the feature.
I wonder how many web developers actually honour Do Not Track. I do, in all the websites I've made for my employer too, but I think I'm only getting away with it because my employer doesn't know. I've even made it so that browsing with Do-Not-Track enabled also skips the cookie consent banner and just assume the user wants no cookies other than the strictly necessary ones (like their session/login cookie), and doesn't include Google Analytics, instead just upping a single view counter on the page, with no PII in there.
A better option would be to just make tracking illegal, and heavily fine companies that are found to be doing it. And make it strict liability, so intent doesn't matter.
I know we all have our pitchforks out, and I hate tracking as much as everyone else here, but "tracking" is a very broad term, and is not always malicious. Unless you want to outlaw access logs, for example.
Which is why it should be defined in the law. The GDPR and the ePrivacy directive define what counts as tracking and what is acceptable. See for example:
I see nothing wrong with outlawing access logs. They were invented and standardized at a time when the IP address field did not map 1:1 to the building in which you and your children sleep.
That's reasonable. Could also decimate the adtech industry and cut them down to just serving ads based on keyword searches and location, like they did 20 years ago
> A better option would be to just make tracking illegal, and heavily fine companies that are found to be doing it. And make it strict liability, so intent doesn't matter.
I don't think it's that easy though. The "just" is doing a lot of work in there. Consider:
Some websites have login with third-party credentials. It doesn't matter that you choose to use these for convenience, because intent doesn't matter, and it is a fact that both the Service Provider and the Identity Provider are tracking you. IdP knows which sites you are logging in to, and SP knows and stores your third-party identity (they might say they need it to know which account you're logging in to, but like I said, intent doesn't matter).
Hacker News is currently tracking me. They might say the cookie is needed for session stuff to work, but intent doesn't matter, and it is a fact that the cookie uniquely identifies me.
My web browser is tracking my mouse position. Mozilla might say they need it for styling stuff to work, but intent doesn't matter, and it is a fact that Mozilla's software is tracking my mouse position in real time (let's not even talk about browser history).
Your browser cache might have two HN posts where my comments appear. If that's the case, then it would be a fact that you are tracking which posts I am commenting on. Intent doesn't matter, so hopefully you're not a company (tracking is fine if you're an individual though (based on the quoted text)).
/s
Hopefully this ride down the slippery slope illustrates some subtleties, at least without a very precise definition of "tracking". But then again, if the definition is too precise, there's gonna be loopholes in the letter of the law; in that case we might say that we should also consider the spirit of the law, but "intent" is part of that.
You're taking exactly the right approach in my book. Thank you!
I don't know if they still do it, but last time I browsed Medium I found that it claimed to respect DNT, which is quite nice.
Lots of self-hosted analytics software also respects DNT out of the box and I don't think site administrators often bother to turn that off.
Still, the vast majority of websites probably ignores the header, especially since it's been deprecated as a standard. If you care about such things, maybe also consider looking into Sec-GPC, its intended replacement.
I do indeed check against both DNT and Sec-GPC (and navigator.doNotTrack and navigator.globalPrivacyControl in JS) basically treating them identically. GPC is ostensibly not about tracking itself, but about sharing data, though I just figured that data that isn't recorded can't be shared either.
There was a much more elaborate standard called P3P recommend by w3c in 2002. It apparently defined a description of how business can use personal data.
But apparently it was considered too complex and "lacking enforcement".
Now maybe if it survived till GDPR it could have it's enforcement, but Mozilla yanked support before that...
No, they love the money they can make about you. I don’t know anybody giving their money to these people. It is other shady companies buying the data about for, shady companies that have collected. All of this is offered to you free of charge.
Relax, folks, entities have plenty of other options, there still won't be support for Do-Not-Shoot, Do-Not-Rape, Do-Not-Stone, fun for the whole family.
A bit of lore that I learned in my networking class in college was that the RFC name was chosen as tongue in cheek in that by the time a proposal gets to the RFC stage, comments are very much not appreciated. You're supposed to comment well before that point.
No idea if that bit of lore is true but it is certainly the case that RFCs are usually the final word on the relevant standard. In fact, once they get their ID, RFCs cannot be modified or rescinded; only superseded by another RFC.
That's apocryphal, the name just lasted beyond the original workflow of a now 55 year old publishing system.
The idea that a published RFC is a final word is a newer idea too. Yeah, you can't modify an RFC, you have to publish a newer one, but that was a pretty good way of doing distributed change control in 1969.
> The early RFCs were, in fact, requests for comments on ideas and proposals; the goal was to start conversations rather than to create an archival record of a standard or best practice. This goal changed over time, as the formality of the publication process evolved and the community consuming the material grew. Today, over 8500 RFCs have been published, ranging across best practice guidance, experimental protocols, informational material, and, of course, Internet standards.
RFC's operate under the IETF. RFC's are developed under some specific group, and you can join that group, the business is generally conducted on email. There are (well, were back when I participated) in-person meetings, but attendance there was not mandatory.
RFC:s are published by the RFC Editor <https://www.rfc-editor.org/>. While it’s true that most RFC:s are written and published through the IETF, this is not an actual rule.
Excellent satire. Really drives the point home. I think it's hard sometimes to understand just how much forces of bad use paper trail to push their agenda. This outlines this really well
Adtech is kind of like the fungal domain of the web, in that it allows life to technically exist where it shouldn’t, because death is actively in progress. It recycles deathly content back to the top of the food chain to Big N, wherein it is reconstituted into cushy salaries for the people that ultimately create the infrastructure that allows endless slop to permeate the web.
Don't care too much about do-not-stab since I deployed a pi-bulldog on my network that catches all the back alley NSRs (network stab requests). I was thinking about using SDoH (self-defense over https) or AoT (AR15 over TLS) to be protected outside my network as well, but honestly the little stabbings here and there cause sufficiently little blood to be drew that its not worth the hassle.
I couldn’t tell if it was intended to be a note-for-note parody of an RFC about the do-not-track header, but I couldn’t find one that would qualify. The closest would be this[1], but it doesn’t cleanly match up (in part because [1] is more verbose and its points scattered).
Another satire RFC in the same spirit is the one about the evil bit[2] (designate one bit in packets to indicate whether it’s intended for evil), with the same subtext as the linked post: no, you can’t trust malicious entities to change their behavior to make it easier to stop.
Them: What's your LinkedIn Account?
Me: Don't have one.
Them: Twitter?
Me: Nope.
Them: InstaGram or TicToc?
Me: Nope.
Them: Do you use the web at all?
Me: Only through Lynx. I see a lot fewer ads.
Them: No JavaScript! How do you use YouTube?
Me: I don't, really.
Them: You have no social media?
Me: Well... I *did* order a pizza from Dominos online once...
Yeah... I don't use the web much as you would expect for someone
who's livelihood depends on it. I just wish USENET was still
USEFUL. I have a rant in me about ad-tech and crap-ware on the
web. I'm just enjoying my life without the web too much to
write it. And clearly, HN is my web-tech achilles heel.
I find it funny that the authors are from Google, of Google Analytics, where the recommended way to opt out of tracking is to install a "do not track" browser plugin (not available on mobile).
> Google has also released a browser plug-in that turns off data about a page visit being sent to Google, however, this browser extension is not available for mobile browsers.
If Monty Python made an RFC it would look very much like this one, just with more fruit.
On a more serious note: yeah wtf. I hope we in the EU draw the conclusion of companies even being unable (unwilling?) to gain informed consent and just start treating these privacy breaches as an outright crime.
Maybe it’s just me, but I fundamentally disagree with the mentality that we should prioritize the “feeling of being special” among those who already get the joke (and corresponding point) at the expense of those who have yet to appreciate the message.
You can still laugh at the joke with the section there, you’ll just have fewer confused people to correct, and be in one less elite club.
The thing is, the last part does not just explain the joke, it is a very angry rant, and it ruins it for me because of the change of tone.
Imagine in real life, someone starts making a joke, and then suddenly starts cursing and yelling. I wouldn't be comfortable with what feels like a lack of self-control and I will try to move away before things get violent.
Either do the "joke" style or the "angry rant" style, not both. The joke can be explained calmly if there is a need to.
>The thing is, the last part does not just explain the joke, it is a very angry rant, and it ruins it for me because of the change of tone.
The original criticism I wasn't objecting to wasn't making this distinction, and so this is a different argument. I wasn't defending the angry tone, only the existence of a section, "if you didn't get it, here's the point".
>Imagine in real life, someone starts making a joke, and then suddenly starts cursing and yelling. I wouldn't be comfortable with what feels like a lack of self-control and I will try to move away before things get violent.
Okay, now it seems like you're saying the section would be bad even with a calm, non-angry tone, in which case my point about the need for a non-joke section applies.
In any case, the standard of "what if this were real life" is a bad one to use. An internet post is not an in-person interaction, and it optimizes for different things. You might as well object to footnotes on the grounds that, "hey, in real life, you wouldn't go on all these tangents because that's distracting".
If you already got the point, by the time you got to the rant, and don't need the explanation, you can (and should) stop reading there. It's not relevant to you. It's supplemental information for anyone who didn't get the point. You know, the ones you don't think deserve the same level of understanding as you, the ones who weren't elite enough, like you, to get the reference.
Sure, but the point of critical thinking club isn’t really its exclusivity. In this case if you don’t know which specific header this is parodying that’s completely understandable. But if you really think this is about computers stabbing people and can’t laugh at yourself about it when you find out that it isn’t then I don’t think we will be able to engage on this topic in a mutually rewarding manner.
I don’t think it’s about computers stabbing people, but that’s not relevant. The issue is your willingness to keep people in the dark so you can feel good that you got a reference without it being explained.
I wasn’t accusing you of not getting the joke, I was speaking in general. But thank you for demonstrating how it’s difficult to have a conversation with someone who takes everything literally.
>I wasn’t accusing you of not getting the joke, I was speaking in general.
But you were -- you just hid it under a veneer of snark, innuendo, and plausible deniability so I'd be tainted by the implication, while still allowing you to (right on cue) insist that's not what you meant.
Maybe now you're starting to understand why ambiguity in writing is a double-edged sword. But then, if you were that conscientious, I wouldn't have to make the original point in the first place.
I feel the need to comment on one sentence in it: “companies are god damn children and must be told no explicitly by every person individually.”
While it's true that children will often go out of their ways to test boundaries, I have no trouble giving them the benefit of the doubt and saying that children are innocently experimenting.
Companies, meanwhile, are doing this with fully deliberate malicious intent. They do this because capitalism rewards it. We need to say this, and keep saying it, until everyone gets it. Companies cannot be reared like children. Companies do not “mature” to become well-behaving, ethical citizens. With the profit motive in effect, companies have every incentive to work around every legislation and regulation and screw us at every opportunity they get. The profit motive must go.
I'd love for Please-Do-Stab header to exist so I can just set it and with it opt out of any stabbing-anti-stabbing wars and politics.
I fully understand that it's absence wouldn't meant that people won't get stabbed, but it would save time and mental space of all people like me who really don't care about being stabbed or not.
Honestly if anything, I'd like to be stabbed more.
By analogy to current situation about tracking ... Ad companies know too much about me? I think they know too little. For example for half a year they still haven't figured out that I know barely any words in German and are serving me German advertisements all the time just because I happen to be living in Germany currently.
> it’s fucking depressing when even the fucking bare minimum form of regulation is followed to the letter and no more
For Microsoft this also rings true from the opposite direction. Any specification that Microsoft technically abides is implemented in an egregiously dark way (at least for anything consumable at an enterprise level).
They go to great lengths to exercise every bit of leeway permitted by the spec, even when it doesn't make economical sense, because what are you gonna do about it? Vote with your wallet? Against the vendor that runs all your workstations and manages your directories and databases and deployments and authentication and authorization and business intelligence and and and?
No, you're gonna accommodate their absurd counter-requirements because what other choice do you have? The decision then becomes:
1. branch your code to shit with `vendor == microsoft` clauses
2. branch your project/architecture to shit and effectively maintain a Microsoft version alongside the "normal" core version
3. use Microsoft's bespoke library that solves the problem they created
A project that selects option 3 will face the least resistance integrating with Microsoft products, but will also become beholden to arbitrary rules that complicate integration with every other vendor who benevolently implements the standard.
The authors are [redacted] Google. Are they actually Google? They seem to unironically complain about what Microsoft is doing, but Google is guilty of the same.
> it’s fucking depressing when even the fucking bare minimum form of regulation is followed to the letter and no more, because every company out there fucking hates you and would sell you out to make a bit more money if they legally could. and even if they couldn’t, who’s going to stop them?
Certainly not any government. If you think the EU's regulation are of any help to the consumer you are gravely mistaken. The EU is quickly becoming a fucking nightmare to live in. "The more corrupt the state, the more numerous the laws". The meme that goes around atm is that while Elon Musk created Tesla, SpaceX and Starlink the EU managed to get everybody to now have plastic bottles who do not close properly anymore: due to some regulation that mandates that bottle caps must hold to the bottle, weird only partially-functional mechanism have been created and it's a PITA to either drink from a plastic bottle or, worse, try to lay it horizontally in a fridge.
That's what the EU is: probably that some politicians or bureaucrats with enough brain cells to recognize a bottle cap on the ground thought "I've got an idea to make the EU better, let's mandate every bottle to have a cap that cannot be separated from the bottle".
As a result you lay horizontally a plastic bottle of sugary drink in your fridge (because you've been used to do that for decades) and now all your fridge is sticky due to the bottle leaking.
It's all that is wrong with the EU bureaucrats in one example.
Also hailing the EU as the savior vs Microsoft when our lives becames miserable with EU consent cookie popups virtually everywhere is a bit thick.
The non-profit Plastic Deposit Organisation, responsible for managing Denmark's container deposit system, estimates that this change alone will enable them to collect and reuse approximately 70 million additional bottle caps annually. This equates to 140 tonnes of plastic each year.
This assumes a 90% cap return rate before (which seems low) and a 100% return rate afterwards (not in Denmark myself but I can't be the only one to have returned zero of the new caps vs almost 100% before).
The whole thing smells like a made up issue concocted by some company wanting to sell their bottle cap solution.
Honestly yeah. The EU is run entirely by PMC people who don't understand or care about the effect on lower-class and frankly less intelligent people's lives.
> The meme that goes around atm is that while Elon Musk created Tesla, SpaceX and Starlink the EU managed to get everybody to now have plastic bottles who do not close properly anymore: due to some regulation that mandates that bottle caps must hold to the bottle, weird only partially-functional mechanism have been created and it's a PITA to either drink from a plastic bottle or, worse, try to lay it horizontally in a fridge.
I haven't encountered that meme, but if it exists, it's like most memes seem to be: Wrong. The bottle caps work just fine.
It’s great satire, but it really does mirror a larger societal shift where the burden of safeguarding personal autonomy has shifted from institutions/regulators to individual users. Do-Not-Stab, Do-Not-Track, whatever it might be, any sort of “voluntary compliance” is a non-starter in the face of financial pressures
IMO we need to start normalizing being militant about this stuff again, to aggressively and adversarially defend the freedom to use your computer the way you choose to use it
It's amusing to see this message heavily upvoted on HN when most mentions of Firefox here are welcomed with an avalanche of perfect solution fallacies.
I'm dubious about people becoming militant about this when the software engineering industry gave Chrome a red carpet by using it and installing it on their relatives' computers while knowing very well it's adware and when switching to the alternative is incredibly cheap.
I think we shouldn't minimize the harm Chrome does by calling it adware. It monitors all your activity for Google to tie it to your identity, who then publish your demographics, preferences, history, and mental state on the global markets. Let's call it what it is: a brain tap.
> who then publish your demographics, preferences, history, and mental state on the global markets.
Is there any evidence this actually happens? Or are we just going based on vibes?
For most of it you can just go to the customer facing part of ad services and see these as distinct chooseable options, for mental state you could hand wave it away as "do we really know the mental state of someone who closely followed political news and has been searching for air tickets and migration processes since Nov 6?"
No vibes and there is voluminous evidence, eg many links here: https://spreadprivacy.com/how-does-google-track-me-even-when... as well as Google Takeout itself. Oh and I forgot location data and shopping records, those are huge. So the collected data about you are well documented.
Given the data, why would a trillion dollar company leave money on the table? Their shareholders DEMAND they monetize it. There are few forces against this.
https://www.eff.org/deeplinks/2020/03/google-says-it-doesnt-...
Given the 2.095 trillion reasons why this should happen, and few reasons it shouldn't, you should demand evidence it DOESN'T happen. Presumption of innocence is backwards when there are market forces.
Read any of the “I asked site X for my personal data” articles to get an idea of what’s going on.
I asked Google for my personal data and they had almost nothing on me. But I have opted out of every form of data collection so it makes sense to me.
Chrome had the advantage for a long term because their dev tools were just so much better than Firebug in both features and performance. Even today, I can't pinpoint it to specific things because it's (relatively) little and subtle differences, but Chrome's dev tools feel way more polished than Firefox's.
It's almost as if Steve Ballmer and the legendary "developers developers developers" speech still rings true today - the key to getting people to use your software is to make life as easy for the power users as possible, let them spread the word. And it's ironic how Microsoft lost its ways there... a lot of people I know have gone from Windows to Mac and convinced their close relationships (aka those whose computers they fix) to do the same. It's just so much more relaxing to boot into an OS that doesn't try to shove advertising down your throat at every turn.
Personally I disagree. IMO, devtools were better when competing with firebug, but I haven't experienced much of a difference in the past... 8? years. Something like that.
> Chrome had the advantage for a long term because their dev tools were just so much better than Firebug in both features and performance. Even today, I can't pinpoint it to specific things because it's (relatively) little and subtle differences, but Chrome's dev tools feel way more polished than Firefox's.
My point exactly! You're talking about which browser to use for web development. That's not relevant for engineers not touching html/js/css, and for all non tech savvy family members whose computers we set up.
Interesting, in my murky memory Chrome's developer tools were at most "quite decent" but for a long period of time could hardly compete with Firefox's, maybe even with mere Firebug. It it true that in total "feature count" Chrome most probably leads now, and especially recently they seem to adapt features that used to be Firefox exclusive in remarkably increasing rate. But I really do not remember being blown away by Chrome's devtools, like, ever, actually. Even today I pretty much prefer Firefox Developer Tools over Chrome's, because they mostly has more features I actually need and also feel way less cluttered. Most of the times I need to do anything with Chrome's devtools it takes me just a little moment to stumble upon some missing detail I am used to (for example overflow/layout/event listeners badges directly in the DOM inspector tree) or to be mildly offended by unfamiliar (or missing) keybinding, or confusing layout. There are quite a few features In Chrome that I'd like to see in Firefox (command palette for example), but still prefer "living" in Fx albeit without them.
Yes, al subjective, biased and anecdotal, but wanted to leave one real (yet still virtual) vote in favour of Firefox's Developer Tools here.
> It's amusing to see this message heavily upvoted on HN when most mentions of Firefox here are welcomed with an avalanche of perfect solution fallacies.
HN is not a hive mind. There are people here who love Firefox, people who despite it, and everyone in between. It’s tiring to always be reading your type of comment, as if everyone is a hypocrite. Maybe, just maybe, the people making those contradictory comments are not the same individuals.
And it’s not like Mozilla is free from controversies, including several of betraying user trust. If every major browser maker is going to break your trust and sell your data, I can see why people choose their poison based on other factors.
I use neither Firefox nor Chrome. Is Safari any better? Or Brave? In some areas yes, in others no. I don’t think there’s a single browser vendor which gets it unambiguously right.
> HN is not a hive mind. There are people here who love Firefox, people who despite it, and everyone in between. It’s tiring to always be reading your type of comment, as if everyone is a hypocrite. Maybe, just maybe, the people making those contradictory comments are not the same individuals.
I didn't mean to say that all of HN despises Firefox, but simply that it very often brings negative sentiments, so seeing the comment I was responding to so high up in the thread made me react. It was also a kind reminder that militating is as simple as using an alternative to Chrome.
> And it’s not like Mozilla is free from controversies, including several of betraying user trust. If every major browser maker is going to break your trust and sell your data, I can see why people choose their poison based on other factors. > I use neither Firefox nor Chrome. Is Safari any better? Or Brave? In some areas yes, in others no. I don’t think there’s a single browser vendor which gets it unambiguously right.
And you're making my point about the perfect solution fallacy as well! Of course Firefox isn't perfect and has screwed up on several occasions, does that mean it's comparable to a piece of software that sends every single bit of information it can gather to its parent ad company?
> but simply that it very often brings negative sentiments
Just as often as it brings positive sentiments. Something that is (from anecdotal observation) quite common from both camps on HN is disappointment with Mozilla’s governance.
> does that mean it's comparable to a piece of software that sends every single bit of information it can gather to its parent ad company?
Not the argument I made. As I said, I use neither.
Mozilla would be the first to request permission to stab you so that they can then analyze the blood of the knife in order to make future product decisions.
> IMO we need to start normalizing being militant about this stuff again, to aggressively and adversarially defend the freedom to use your computer the way you choose to use it
Yes. As a millennial the times of civil disobedience was better. Not only did we get a better internet for consumers, but better companies were rewarded and won. Rose tinted glasses? Possibly, but there’s another reason for disobedience: the other side does it, and they do it just for money.
Concretely, is there something like Adblock that can be done for cookies? I don’t think blocking is as effective as poisoned data though. They ask for data, they should get it. If you don’t get consent, poisoned data is merely malicious compliance.
It could even be standardized as an extension to DNT: “if asking for consent after a DNT header, a UA MAY generate arbitrary synthetic data”.
Use ublock origin with the "Cookie notices" custom lists. Not explicitely accepting cookies is legally the same as refusing them (now, whether websites actually respect that is the opening keynote of the Naiveté conference)
> Concretely, is there something like Adblock that can be done for cookies?
I use a combination of two browser extensions: Cookie AutoDelete[0] and I don't care about cookies[1]. The second hides any GDPR 'compliance' popup; the first deletes any cookies set by a website when you close the last tab with it open. Both extensions have whitelist functionality.
[0] https://github.com/Cookie-AutoDelete/Cookie-AutoDelete
[1] https://www.i-dont-care-about-cookies.eu/
ublock origin now has specific filters for cookie popups, you just need to turn them on in the filter lists. I'd say this is probably preferential to downloading another addon (that already had a scare with being sold off)
> I don't care about cookies[1]. The second hides any GDPR 'compliance' popup > [1] https://www.i-dont-care-about-cookies.eu/
I like to use Consent-o-Matic[1] for this. IDCAC accepts tracking when ignoring the request doesn't work. CoM rejects all tracking on those popups. I like the slight Fuck Off that that sends.
[1] https://consentomatic.au.dk/
GDPR compliance isn't about cookies, it's about processing personal data. You can be tracked without cookies, so ignore these at your own peril.
To be extremely pedantic, it's great satire precisely because it mirrors that shift. Owes a lot to the OG, A Modest Proposal.
> aggressively and adversarially defend the freedom to use your computer the way you choose to use it
Sadly even if you’re inclined to do this, it’s always a war of attrition, and corporations seem to realize they can just up the cost of your resistance in terms of time/frustration, and that’s enough for them to win in the long term. The history and trajectory of platforms, from browsers to AppStore’s to SaaS-all-the-things, is just tragic, with the amount of user control on a downward slide at each stage. The big question now is whether / how / to what extent AI is going to be corporate or democratized, but it’s hard to be optimistic.
Or, you know, if Clicking do-not-stab for 60 more years sounds like it sucks, you can try to become a shepherd or something. Works great for ~10 years, and then you can’t use cars, dishwashers or light switches without clicking do-not-stab, at which point they finally win and you say, you know what? I should be grateful they asked before they stabbed me, I practically owe it to them anyway, and I can’t wait to see all the love/cash rolling in after I’m a big shot shepherd influencer. Like and subscribe y’all and as always, hail corporate
Worth noting the times where you have the choice to engage or not with a company with bad practices. Make it unprofitable for them to provide horrible service. Particularly applicable to tech, because most of it is useless rubbish we don't really need anyway!
Reminds me of Graphene OS, which forces you to directly give money to Google to buy a Pixel, if you care about privacy and security.
Is this a case where monopoly actually benefits the cause? The last great uprising in the public interest, imo, was Microsoft against the open source movements at the turn of the century. It was a heady time to be involved in software. I miss it frankly.
But perhaps it really only succeeded, because that Microsoft was like the Boeing of today, a company where Pournelles second type (the institutionalists) had taken over and was just riding out the momentum, allowing the upstart unfunded open source hippies to actually have success.
Best time to do that would've been 19 days ago, but here we are. Buckle up.
I'm registering my elderly relatives for dmachoice.org, to prevent them from getting junk mail. These clowns create the problem and then have the audacity to charge you to be added to the opt out list. I was really skeptical about the GDPR when it was passed and I am now fully on board for an American version.
I'm still extremely skeptical of it because in practice it basically added a cookie banner to every every website I visit infrequently with no particular benefit to me.
I'm just going to click "yes," stop asking.
The cookie banner is only there because the website in question uses non-functional cookies (e.g. targeted advertising)
It's gotten entirely out of hand.
Most EU national government websites have cookie banners. Even the European Commission website has a cookie banner!
This should have been implemented at the browser level. Let the browser generate a nice consistent UI to nag EU users when visiting websites about accepting cookies and let the rest of us opt out.
The standard for cookies should be updated with a way to include or retrieve a description of each cookie separately. Then, require sites to provide that description, and let users choose per cookie in the browser.
That's nonsense. It's not about the cookies, it's about the data collection. You can use cookies without having to use a cookie banner by simply not gathering data you don't need. And if you do gather that data without using cookies you still need to ask for consent.
I can tell you, with absolute certainty, that nobody knows how to implement the law or what it even means, legislators, lawyers, engineers alike. There was a good somewhere and now we're in hell.
Nah, companies don't want to implement it as it's bad for their business model so they feign ignorance.
I still remember being at an all hands at a former employer where the team presenting the revised cookie banners promoted as a benefit that it had opt in rates that would make an authoritarian dictator embarrassed to claim as uninfluenced
Considering the dozens of European governments that have been fined under the GDPR, I think it's safe to say that it's not just feigned ignorance.
As someone who was helping to implement GDPR for clients when it took effect, it was a nightmare. We didn’t know exactly what to do, or when, or where, or to whom. The easiest solution for a lot of the implantations was “do the most so we don’t miss something, and pull back bits as we know more”.
You're right in the sense that it tends to be hard to understand things when your salary depends on you not understanding them. This seems to describe most web developers from the number of non-compliant consent popups in the wild.
Can you give an example?
If your claim is that sites that use cookie banners don't understand the law, I don't know how we square that claim with the European Commission site's cookie banner. Certainly, the government itself can interpret the law successfully, right?
They already provide description: "improve user experience", lol.
That would be horrendous and would play right into the advertiser's hands which want you to "just click accept".
Cookies should be categorised as essential and non-essential and the website should specify which laws it is considering when it categorises them as such. The GDPR definition of "legitimate interest" (which is a bit vague but it's not that hard to understand it) should be explicitly clarified so that companies can't claim that a whole swathe of shit they opted you into automatically is "legitimate interest" if they also give you the option to opt out.
At this point they can still attach descriptions to each cookie (hopefully using some standardised interface so you don't have to literally send these with every cookie, localized) and then your browser can still present you with the idiotic: "here's what we would like you to use" interface, but streamline the process with the ability to just opt out of anything which won't outright break the website.
Although this still opens it up for abuse by companies putting things like: "your preference for us not popping up an annoying full-page message every time you visit a new page" into a "non-essential" cookie to incentivise you to just accept them all.
Honestly I think we should just have Joe "Sensible Person" judge company's websites for whether they're being actively malicious in any way and force the closure of any company which is considered actively malicious along with the destruction of all company IP and liquidation of non-IP assets. All the company owners should also be banned from owning/running any other company for 10 years. (only half kidding)
As someone who has worked on the Danish public sector I have a slightly different take on the public websites. They should never have been using things like 3rd party analytics to begin with.
I understand it’s was media and communication departments do, and that it’s natural that the people working within them would want to do so regardless of where they work. It’s their trade after all, unfortunately they bring the exact same “user engagement” mindset with them into the public sector. Well, at least in my anecdotal experience with a handful of these departments in 7-8 different cities around here. You can of course make good points on user metrics on a public website, but they should frankly work very different than they would on most web sites. On a public website it should be the goal to get to user to leave the site as quickly as possible, because the longer they hang around the more time they are spending finding what they need. That’s not what happens with these metrics in my experience, however, instead they are used to do what you might do on a news site.
That’s just one side of it, however, because the privacy concerns are their own issue. If you absolutely want metrics on a public website at least have the courtesy to build your own. It should be illegal for public web sites to use 3rd party tracking. I know why they use it, it’s for the same reason they spend a ridiculous amount of money on custom designs systems build on top of what is usually SharePoint or Umbraco. They refuse to hire the Django (insert any other extremely low maintenance system) expertise because it’s expensive on the “long term budget”, even though it would be much cheaper than 3rd party tools and consultants on the actual long term budget. Anyway, that is another point. But it really pisses me off when public websites need you to allow 3rd party tracking because they aren’t using it in any way which serves the public.
Worst of all is that cookie banners are explicitly a private industry way of dealing with their refusal to respect “do-not-stab”. Public websites could simply put their bullshit into their privacy page. Of course nobody would go there and turn on 3rd party cookies, but why should the public care?
The cookie banner is there to punish people who have cookies turned off or set to be deleted upon browser/tab close - and generally annoy everyone else.
Think about how obsessive companies are about "UX" and how disruptive the banner is. Bitch-slapping people for fighting against tracking is more important to them than the user being able to access or use the site at all.
Obviously, because in our digital economy, users are cattle. Companies are obsessive about UX so the users shut up and eat grass and allow themselves to be milked or sheared. Refusing to participate? A cow that eats grass but doesn't let itself be milked gets shot, so in some sense maybe we should be grateful for the bitch-slapping...
Or if the legal department is concerned that someone could claim a cookie is non-functional, so to save the uncertainty and expense they advise always showing the banner. Especially since everyone else does.
It seems like there should be a parallel to “tragedy of the commons” that talks about how a good idea coupled with extreme penalties can lead to a bad outcome by making any risk calculation result in “jesus we just can’t take any chances here”.
No,.all the companies running the sites chose to add a cookie banner. And you choose to keep going there
Yes, and my life world be more convenient if this banner would go away or I could declare a universal preference.
I miss the old Internet where nobody cared about their privacy.
nobody cared about their privacy because there was no widespread systematic effort to invade it.
I don't care about my privacy in the street despite it being public because there's no-one following my every step taking note of where I go, how fast, what music I'm listening to, what I'm looking at... (although the astute reader will argue that this is less and less true, there's more and more tech tracking our activity in real life too)
I click no to all of them, but it would be really nice if the Do-Not-Track header essentially let you pick in advance — for you (0) or for me (1)
Not just "really nice". It must be mandatory to respect it.
The only hope I still have is for some kind of fully local LLM-driven "agent" browser that does the browsing for me, navigating search engines, cookie banners and showing me what it found, nothing else.
Unfortunately entire businesses are built around preventing people from using bots, for obvious reasons, so the only obvious way forward to make browsing the web a better experience will also mean ending up on the wrong side of that battle.
> ... "it basically added a cookie banner to every every website I visit" ...
Yeah, no. Hostile advertising companies added that cookie banner as a form of "malicious compliance" with the law purely to annoy everyone like a buncha spoil't little brats who didn't get their way, so now they're gonna make everyone suffer... If we get a similar law in the USA, you can expect to see annoyances just like it (and probably worse) on sites hosted here, too.
The worst part is that it wasn’t even malicious compliance: the cookie banners they added seldom even satisfied law, in ways completely obvious if you just read the law (which is pretty easy reading, only a few thousand words for the relevant parts). I don’t understand why relevant commissions didn’t make more noise about that, because it was obvious that major players were deliberately poisoning public perception.
Not if we ban third-party ads.
Can you source your claim? Because it seems like it would create a competitive advantage for a non-hostile advertising company. Websites aren’t any happier about cookie banners than users are. If it’s just an emotional, spiteful reaction, the grownups should be able to make a fortune.
You'd think there'd be some "competitive advantage" to be had, but when their entire industry is built upon tracking and profiling everyone they possibly can, they'll do anything they can, fighting tooth-and-nail to the very end against any legislation that somehow interferes with their tracking, even if it means resorting to childish and petty temper tantrums that further enshittify the web. What little "competition" exists in that industry all fully believe that building massive profiles on everyone is the only way to make any money at advertising. They've been allowed to get away with it for so long that they can't even remember there was a time when tracking everyone all the time everywhere wasn't even a thing (and yet advertisers still managed to advertise back then, somehow)...
Other replier believes that competition is a system that works toward consumer needs and betterments. Advertising is extractive
Actually I thought I was clear in my framing that, if site owners are unhappy with cookie banners, it is unlikely that a conspiracy of ad networks would force them to accept the nuisance.
The claim is that no sites value their user experience enough to pick an ad solution with a better experience. I doubt that claim.
Competition _is_ a system that works toward consumer needs and betterments. In advertising though, you are not the consumer.
That heavily incentivizes me to advocate against any such law.
And if the regulators didn't predict such compliance they should be replaced with competent actors in their jobs.
That was the obvious outcome. What did people predict: site owners leaving money on the table? Who pays for operating the sites then?
When GDPR was first going through the public circuit I remember reading the proposed laws and being pleasantly surprised to find that they specifically called out and forbade the likely workarounds, including the obnoxious banners we now see everywhere.
I would love to know what happened. Did the laws get "revised" to re-open the loophole? Was superseding legislation passed? Did the courts reject it? Are there enforcement issues?
That sounds like a legal minefield - I would point out that GDPR-style legislation exists because the legislators don't trust the industry to assess what is reasonable. So the industry would be in a position where:
1) They aren't trusted to be reasonable about user consent.
2) They are only to take action when they judge it is reasonable to check user consent.
It'd probably be a very rocky process to nail down what those words like "loophole" and "workaround" mean as the advertisers start abusing prescribed no-banner situations.
TL;DR the enforcement simply lacks manpower, and the most egregious cases go to court which also takes time.
All the sites that need advertising like that can just die off and leave the internet a better place.
Did we ever think that would be the end result of all this?
Good job rewarding those companies for adding the nag screen. I'm sure that will get them to stop.
If by 'companies' you mean https://commission.europa.eu/ then sure.
Cookie banners are malicious compliance and the failure to do anything about them is indicative as to how much the EU cares about privacy vs how much they want to be seen to be caring about privacy.
Clearly you don't have a browser plugin that simply opts out of all cookie banners. Ultimately, the webs ites have a financial interest in malicious compliance, so you either work within the system as given or throw your hands in the air and let every and all sites rape your data.
Yes, the second one. I don't really care; it's not "my" data. It's data about me.
When I walk down the street and sometime sees me go by, those aren't my photons they caught. By analogy, same with my browsing history.
It is, however worth at least considering restrictions on continuously following a person in public places and reporting all their observed activities to a third party.
Of course there are practical limitations on that kind of physical surveillance. It's expensive, tends to attract attention, and even nation states can only do it to a few people at a time. Information technology allows it to scale to almost everyone, almost all the time, for a small fraction of a corporate budget.
Perhaps it's worth at least considering restrictions on that.
> It is, however worth at least considering restrictions on continuously following a person in public places and reporting all their observed activities to a third party.
I don’t see any difference between online “tracking” and real world stalking. If some one was following you every where you went taking notes on everything you did, interrupting you and preventing you from actually doing what your were actually wanting to do, you’d be able to have the police intercede in your behalf. Only now we think it is different because “on a computer”.???
> interrupting you and preventing you from actually doing what your were actually wanting to do
This is the part that would get the police involved, and no-one online is doing anything like this.
Doris the curtain-twitcher compiles a dossier on everyone, maybe shares it in her gossip circles. No-one cares.
Every site that puts up a cookie banner is interfering with my doing what I want.
OK but that's the sites themselves doing it. If every shop puts an annoying greeter on the door or something, that's not something you would call the police about.
You are the culmination of your life's experiences. Going by your definition, one could infer an individual has zero intrinsic ownership of any non-health data. Which I categorically object to.
You have ownership over your own memories and records.
Other people also own their own memories and records - some of which may be about you.
At least, this is how it was for most of human history.
Now some people think they should be able to demand everyone destroy records about them. If it was possible, no doubt they'd also demand people destroy any memories about them as well.
That's not how it's been for the bulk of modern history. What absolute absurdity. It's an ancap mentality taken to the notion of privacy.
The problem is GDPR isn't prescriptive enough. That makes it ripe for "technically correct but really annoying" solutions.
It also failed to actually ban ad tracking.
ePD in 2002 mandated cookie banners well before GDPR in 2018. But yes, point taken that well intentioned regulation can be poorly implemented and have negative repercussions.
I know of no regulation that mandated cookie banners. I just know a lot of sites who chose to use banners because the operators are somewhere between weasely and malicous.
Key to note that the cookie banner fiasco wasn't GDPR, it was a separate policy that should be changed.
I wonder if there is some way to DoS the tracking services by basically accepting third party cookies but then immediately discarding them so every page load generates a new cookie and presumably state stored on the other end to match it. Or are these tracking cookies typically self-contained so that no state is stored server-side?
Given that web industry uses no-server-state for *authentication* (with all the issues it implies), i would expect tracking also be no-server-state.
Isn't that the reason cookies were invented in the first place? To keep servers stateless?
If the server can recognize you then it is not stateless, cookies make http stateless
Yeah and the fuss about it being enabled by default is not really relevant. In the EU tracking must be opt-in anyway. So this is expected behaviour.
However the EU dropped the ball by not making it mandatory to respect this flag. If they had we wouldn't have had the huge cookiewall mess we have now.
The annoying thing is that they have regulations in trilogue that would actually make the DNT header obligatory to follow, the ePrivacy Regulation. That was supposed to drop alongside GDPR, but has instead been delayed for 6 years now. It's apparently supposed to be finally finalized somewhere in 2024, so I hope to see it sometime soon.
Oh that's good news, that would be great, then I can just set that flag and will never have to bother with cookie banners again <3
> larger societal shift where the burden of safeguarding personal autonomy has shifted from institutions/regulators to individual users.
If anything the shift is going the other way, with some of the more busy-body jurisdictions trying to take things that are properly enforced by the user's user-agent and instead making them officially the responsibility of the other party.
On the internet, it started as the user's responsibility.
For netizens, the idea that the use should be able to opt out of logs about their interaction with the service the operator owns is novel (because they always had the option of not using the service if they found the pattern distasteful).
There's a bit of a difference between normal logging of access to services to protect your devices / network (and to understand your users' access to your services), and using every nasty trick in the book to build extensive detailed profiles of everyone's browsing footprint across the entire web, often without their knowledge or consent (hence the laws, because it's the only way to convince some folks to not do bad things). The first should be expected behavior, whereas the second should be considered unacceptable and abusive, but has somehow been "normalized" in modern society.
It's a difference of degree, not kind, which is how it became normalized.
The internet started with decentralized protocols like NNTP, so you could just choose a different news server if the one you were using started tracking + selling your download logs.
Centralizing the serving of third party (or even first party) content is already way outside the original norms of the internet.
Heck, back in the day, HTTP caching would be enough to block tracking. (No javascript, and only the ISP sees which users pulled the document from cache.)
The internet/arpanet started largely with centralized protocols like various file transfer protocols, telnet, finger, various networked filesystem protocols, network printer protocols, network graphics protocols, echo, QOTD, etc.
It's important to note that the Do-Not-Stab header has been deprecated because one browser engine switched it on by default and requiring users to opt into stabbing hurt the bottom line of the stabbing industry, so it's no longer respected. Luckily someone came up with General Assault Control, a non-standard alternative, which also only has one value, so you can set Sec-GAC to 1 to request websites not to assault you. By design, this header cannot be extended, so it cannot be used to distinguish brutal stabbings from a comedic pie to the face in the future.
Because of legal requirements, the General Assault Control header may not be enabled by default, as American states like Colorado require explicit opt-out (rather than explicit opt-in). This protects Colorado's thriving stabbing and shooting industry as most users will never want to opt into being stabbed.
Despite the feature being forced to be disabled by default, the organisation behind the spec is pushing hard for customers to download fringe browsers that implement the feature (though you may need about:config to enable it). Because of the small user base, the request not to be assaulted can be used by websites not willing to follow the standard to make their stabbings and shootings more precise. End users can request a JSON file from the web server containing the supposed support for the GAC header, but requesting this URL may be used to kick the user in the teeth by non compliant servers.
It's now customary, in order to comply with European regulations, to present users with a list of possible violent crimes against their person that they can opt out of before using a website. This ensures that non-consent to stabbing is always an active choice, so that users who want to be stabbed or otherwise maimed won't accidentally miss out on the opportunity.
We value your body integrity. We and our 1492 partners would like to stab you.
Please use this outlandishly convoluted form to opt out of every single one individually.
You might also want to read our ToS in order to stay informed about the multiple ways, some of them illegal under EU law, you still will get stabbed.
(Approximate reading time: 4h53m, assuming a law degree and multiple years of experience in data protection law practice)
We also have a monthly paid plan that allows you to avoid some of the stabbing automatically (but not all of it).
Estimated cost for paying every random website you stumble upon: one bazillion dollar / month (imitates Dr. Evil face)
Is this part of a long term plan for opt-in suicide booths in New New York City?
Why is it a binary value? What about masochists, or people who lost a bet and want to be stabbed just a little? Or strangled?
You can put a window that covers the bottom half of the content the defaults to all assaults being allowed also has a way to customize which assaults you would like. It shouldn't be possible to uncheck necessary assaults for the website might not work.
And “by not work” we mean “will work exactly as it should, but little Timmy in marketing will get a frowny face and won’t go out for drinks on Friday, so you have to tick it”.
This is such transparent EU Bureaucracy shilling. No wonder Europe doesn't have any large SaaS companies with their stabbing unfriendly business climate.
Yeah, why can't the EU just leave the stabtech industry stab in peace?...
The stabtech industry will just change to Stab-Into-The-Back technology, because every user hates to be stabbed in the chest, but doesn't care if it's not seen.
I downvoted before I read the end of the comment and realized this was satire.
Good to know HN will be the same in 100 years. /s
I think you are factually wrong: Skype, Spotify, Revolut, Zendesk, Transferwise... There are quite many European unicorns too (less though than US and Chinese companies) which are operating as SaaS. Some of them got acquired or re-based to other countries though
Didn’t Zendesk stab a pentester recently?
https://news.ycombinator.com/item?id=41818459
Can confirm, got stabbed by a spammer on Skype yesterday.
Skype is fully American these days though.
This website appears to be part of a webring (how delightful!) made up of MtF trans people, furries, self-identified robots (some of which exclusively use third person pronouns) and sometimes a mixture of these. All appear to be some form of sysadmin or programmer.
This isn't my tribe, but I'm incredibly pleased to see a beautiful reflection of the old internet within this webring.
For the low price of $20/1000 clicks, I will provide you with a stabbing consent banner, fully compliant with upcoming EU and CA regulations on web-based stabbing.
I'm sold, the distinctions between "necessary", "targeting", "performance" and "functional" stabbings are such a minefield. Not to mention how I'm supposed to properly disclose the 846 different stabbing brokers I work with. How's a man supposed to make a living stabbing people with all of this red tape in the way?
At least people will be able to differentiate between legitimate interest to stab you and consent to be stabbed for 247 of those 846 partners.
By the way, studies show users only opt in to stabbing with our competitors banner 95% of the time, but they opt in with ours 98% of the time, thanks to our banner taking 50% longer to properly opt out of, so you should really go with us.
I raise you 5000% longer, which gets you to four nines.
The Do Not Track header was originally proposed in 2009 by researchers Christopher Soghoian and Sid Stamm.[2] Mozilla Firefox became the first browser to implement the feature.
https://en.wikipedia.org/wiki/Do_Not_Track#:~:text=The%20Do%....
I wonder how many web developers actually honour Do Not Track. I do, in all the websites I've made for my employer too, but I think I'm only getting away with it because my employer doesn't know. I've even made it so that browsing with Do-Not-Track enabled also skips the cookie consent banner and just assume the user wants no cookies other than the strictly necessary ones (like their session/login cookie), and doesn't include Google Analytics, instead just upping a single view counter on the page, with no PII in there.
A better option would be to just make tracking illegal, and heavily fine companies that are found to be doing it. And make it strict liability, so intent doesn't matter.
I can dream...
I know we all have our pitchforks out, and I hate tracking as much as everyone else here, but "tracking" is a very broad term, and is not always malicious. Unless you want to outlaw access logs, for example.
> but "tracking" is a very broad term
Which is why it should be defined in the law. The GDPR and the ePrivacy directive define what counts as tracking and what is acceptable. See for example:
https://commission.europa.eu/resources-partners/europa-web-g...
I don’t think GP is suggesting we just make a law that says “u track, u pay fine”.
I see nothing wrong with outlawing access logs. They were invented and standardized at a time when the IP address field did not map 1:1 to the building in which you and your children sleep.
This sounds like a recipe to reduce the internet to a handful of heavily-financed publishers who can afford legal protection against strict liability.
That's reasonable. Could also decimate the adtech industry and cut them down to just serving ads based on keyword searches and location, like they did 20 years ago
I mean... I'm not categorically against the internet becoming the exclusive playground of FAANG companies, but I perceive many don't agree.
> A better option would be to just make tracking illegal, and heavily fine companies that are found to be doing it. And make it strict liability, so intent doesn't matter.
I don't think it's that easy though. The "just" is doing a lot of work in there. Consider:
Some websites have login with third-party credentials. It doesn't matter that you choose to use these for convenience, because intent doesn't matter, and it is a fact that both the Service Provider and the Identity Provider are tracking you. IdP knows which sites you are logging in to, and SP knows and stores your third-party identity (they might say they need it to know which account you're logging in to, but like I said, intent doesn't matter).
Hacker News is currently tracking me. They might say the cookie is needed for session stuff to work, but intent doesn't matter, and it is a fact that the cookie uniquely identifies me.
My web browser is tracking my mouse position. Mozilla might say they need it for styling stuff to work, but intent doesn't matter, and it is a fact that Mozilla's software is tracking my mouse position in real time (let's not even talk about browser history).
Your browser cache might have two HN posts where my comments appear. If that's the case, then it would be a fact that you are tracking which posts I am commenting on. Intent doesn't matter, so hopefully you're not a company (tracking is fine if you're an individual though (based on the quoted text)).
/s
Hopefully this ride down the slippery slope illustrates some subtleties, at least without a very precise definition of "tracking". But then again, if the definition is too precise, there's gonna be loopholes in the letter of the law; in that case we might say that we should also consider the spirit of the law, but "intent" is part of that.
You're taking exactly the right approach in my book. Thank you!
I don't know if they still do it, but last time I browsed Medium I found that it claimed to respect DNT, which is quite nice. Lots of self-hosted analytics software also respects DNT out of the box and I don't think site administrators often bother to turn that off. Still, the vast majority of websites probably ignores the header, especially since it's been deprecated as a standard. If you care about such things, maybe also consider looking into Sec-GPC, its intended replacement.
I do indeed check against both DNT and Sec-GPC (and navigator.doNotTrack and navigator.globalPrivacyControl in JS) basically treating them identically. GPC is ostensibly not about tracking itself, but about sharing data, though I just figured that data that isn't recorded can't be shared either.
There was a much more elaborate standard called P3P recommend by w3c in 2002. It apparently defined a description of how business can use personal data.
But apparently it was considered too complex and "lacking enforcement".
Now maybe if it survived till GDPR it could have it's enforcement, but Mozilla yanked support before that...
> because every company out there fucking hates you
They don't actually hate you. Rather, they love your money and they have a depraved indifference for you.
They don't hate you, but they're Out To Get You (https://www.lesswrong.com/posts/ENBzEkoyvdakz4w5d/out-to-get...)
No, they love the money they can make about you. I don’t know anybody giving their money to these people. It is other shady companies buying the data about for, shady companies that have collected. All of this is offered to you free of charge.
Mind you, some companies will take your money and still track the shit out of you, show you ads, and sell your data to the highest bidder.
> and sell your data to the highest bidder.
Do they provide a guaratee to only sell once, instead of selling to everyone?
That reminds me of the second half of this sketch https://www.youtube.com/watch?v=uQjUh4nWwaM
looks like someone just discovered that capitalism is bad for people ^^ who would have thought it...
Relax, folks, entities have plenty of other options, there still won't be support for Do-Not-Shoot, Do-Not-Rape, Do-Not-Stone, fun for the whole family.
Don't forget robots.txt
I’ve always wondered, since an RFC is a request for comment, how does one leave a comment? And who?
A bit of lore that I learned in my networking class in college was that the RFC name was chosen as tongue in cheek in that by the time a proposal gets to the RFC stage, comments are very much not appreciated. You're supposed to comment well before that point.
No idea if that bit of lore is true but it is certainly the case that RFCs are usually the final word on the relevant standard. In fact, once they get their ID, RFCs cannot be modified or rescinded; only superseded by another RFC.
Finally I understand why RFCs are served with the Do-Not-Comment header!
That's apocryphal, the name just lasted beyond the original workflow of a now 55 year old publishing system.
The idea that a published RFC is a final word is a newer idea too. Yeah, you can't modify an RFC, you have to publish a newer one, but that was a pretty good way of doing distributed change control in 1969.
Then they should be renamed CFCs (closed for comments).
But CFCs are banned!
> The early RFCs were, in fact, requests for comments on ideas and proposals; the goal was to start conversations rather than to create an archival record of a standard or best practice. This goal changed over time, as the formality of the publication process evolved and the community consuming the material grew. Today, over 8500 RFCs have been published, ranging across best practice guidance, experimental protocols, informational material, and, of course, Internet standards.
> https://www.rfc-editor.org/rfc/rfc8700.html
Nowadays you're supposed to comment before it gets to "Internet standard"
RFC's operate under the IETF. RFC's are developed under some specific group, and you can join that group, the business is generally conducted on email. There are (well, were back when I participated) in-person meetings, but attendance there was not mandatory.
RFC:s are published by the RFC Editor <https://www.rfc-editor.org/>. While it’s true that most RFC:s are written and published through the IETF, this is not an actual rule.
"request for compliance" is the alternative interpretation.
You can submit errata. Maybe it should be renamed to RFE.
Wouldn’t this header just be another bit of entropy used by companies that are going to stab you anyway?
Without legal backing, yes. If it had that it would have been a very different story.
If you make misusing the header illegal then only illegals will stab you.
Excellent satire. Really drives the point home. I think it's hard sometimes to understand just how much forces of bad use paper trail to push their agenda. This outlines this really well
Adtech is kind of like the fungal domain of the web, in that it allows life to technically exist where it shouldn’t, because death is actively in progress. It recycles deathly content back to the top of the food chain to Big N, wherein it is reconstituted into cushy salaries for the people that ultimately create the infrastructure that allows endless slop to permeate the web.
Don't care too much about do-not-stab since I deployed a pi-bulldog on my network that catches all the back alley NSRs (network stab requests). I was thinking about using SDoH (self-defense over https) or AoT (AR15 over TLS) to be protected outside my network as well, but honestly the little stabbings here and there cause sufficiently little blood to be drew that its not worth the hassle.
I couldn’t tell if it was intended to be a note-for-note parody of an RFC about the do-not-track header, but I couldn’t find one that would qualify. The closest would be this[1], but it doesn’t cleanly match up (in part because [1] is more verbose and its points scattered).
Another satire RFC in the same spirit is the one about the evil bit[2] (designate one bit in packets to indicate whether it’s intended for evil), with the same subtext as the linked post: no, you can’t trust malicious entities to change their behavior to make it easier to stop.
[1] https://www.w3.org/TR/2019/NOTE-tracking-dnt-20190117/
[2] https://datatracker.ietf.org/doc/html/rfc3514
This is going to wipe out the saas market
(Sutures As A Service) which is a additional somewhat often used service once Stabbing As A Service has occurred.
A big shoutout to those reading the comments who are the direct subjects of this satire.
I find it funny that the authors are from Google, of Google Analytics, where the recommended way to opt out of tracking is to install a "do not track" browser plugin (not available on mobile).
> Google has also released a browser plug-in that turns off data about a page visit being sent to Google, however, this browser extension is not available for mobile browsers.
source: https://en.wikipedia.org/wiki/Google_Analytics#Privacy
For some reason, I'm reminded of a particular comic strip from Achewood - https://achewood.com/2007/01/11/title.html.
"Fools! I have invented a usb device which can collect votes from the Internet and drive a knife through your heart!"
I see someone needs to teach their user-agent how to say "no".
Maybe they could get advice on the best way to do that from these people?: https://news.ycombinator.com/item?id=42169027
Sounds like handlers of the “UPGRADE” verb SHOULD have taken the “WOCK” to Poland.
If Monty Python made an RFC it would look very much like this one, just with more fruit.
On a more serious note: yeah wtf. I hope we in the EU draw the conclusion of companies even being unable (unwilling?) to gain informed consent and just start treating these privacy breaches as an outright crime.
I'm personally more worried about being clamped, but this is a step in the right direction.
For those who only skim things, it might be worth scrolling down to read the "Editor Comments" section which is the actual article.
I feel like that section ruins the joke.
Maybe it’s just me, but I fundamentally disagree with the mentality that we should prioritize the “feeling of being special” among those who already get the joke (and corresponding point) at the expense of those who have yet to appreciate the message.
You can still laugh at the joke with the section there, you’ll just have fewer confused people to correct, and be in one less elite club.
The thing is, the last part does not just explain the joke, it is a very angry rant, and it ruins it for me because of the change of tone.
Imagine in real life, someone starts making a joke, and then suddenly starts cursing and yelling. I wouldn't be comfortable with what feels like a lack of self-control and I will try to move away before things get violent.
Either do the "joke" style or the "angry rant" style, not both. The joke can be explained calmly if there is a need to.
>The thing is, the last part does not just explain the joke, it is a very angry rant, and it ruins it for me because of the change of tone.
The original criticism I wasn't objecting to wasn't making this distinction, and so this is a different argument. I wasn't defending the angry tone, only the existence of a section, "if you didn't get it, here's the point".
>Imagine in real life, someone starts making a joke, and then suddenly starts cursing and yelling. I wouldn't be comfortable with what feels like a lack of self-control and I will try to move away before things get violent.
Okay, now it seems like you're saying the section would be bad even with a calm, non-angry tone, in which case my point about the need for a non-joke section applies.
In any case, the standard of "what if this were real life" is a bad one to use. An internet post is not an in-person interaction, and it optimizes for different things. You might as well object to footnotes on the grounds that, "hey, in real life, you wouldn't go on all these tangents because that's distracting".
If you already got the point, by the time you got to the rant, and don't need the explanation, you can (and should) stop reading there. It's not relevant to you. It's supplemental information for anyone who didn't get the point. You know, the ones you don't think deserve the same level of understanding as you, the ones who weren't elite enough, like you, to get the reference.
Sure, but the point of critical thinking club isn’t really its exclusivity. In this case if you don’t know which specific header this is parodying that’s completely understandable. But if you really think this is about computers stabbing people and can’t laugh at yourself about it when you find out that it isn’t then I don’t think we will be able to engage on this topic in a mutually rewarding manner.
I don’t think it’s about computers stabbing people, but that’s not relevant. The issue is your willingness to keep people in the dark so you can feel good that you got a reference without it being explained.
I wasn’t accusing you of not getting the joke, I was speaking in general. But thank you for demonstrating how it’s difficult to have a conversation with someone who takes everything literally.
>I wasn’t accusing you of not getting the joke, I was speaking in general.
But you were -- you just hid it under a veneer of snark, innuendo, and plausible deniability so I'd be tainted by the implication, while still allowing you to (right on cue) insist that's not what you meant.
Maybe now you're starting to understand why ambiguity in writing is a double-edged sword. But then, if you were that conscientious, I wouldn't have to make the original point in the first place.
If you actually got that from what I wrote I’d apologize but I don’t think you’re engaging in good faith.
I feel the need to comment on one sentence in it: “companies are god damn children and must be told no explicitly by every person individually.”
While it's true that children will often go out of their ways to test boundaries, I have no trouble giving them the benefit of the doubt and saying that children are innocently experimenting.
Companies, meanwhile, are doing this with fully deliberate malicious intent. They do this because capitalism rewards it. We need to say this, and keep saying it, until everyone gets it. Companies cannot be reared like children. Companies do not “mature” to become well-behaving, ethical citizens. With the profit motive in effect, companies have every incentive to work around every legislation and regulation and screw us at every opportunity they get. The profit motive must go.
I bailed before that so thanks for pointing it out. I couldn't agree more, both with the point implied by the RFC and with that directly stated below.
Right. This was just too on point. Thank you for making my night!
Why a header?
Do a sidedoor as a /do-not-stab.txt
Do-Not-Stab: 1
> “We and our 756 partners process personal data[…]” wow big polycule this website is in
This gets more and more unhinged, I love it
Well that's one way to take a stab at this problem.
I'd love for Please-Do-Stab header to exist so I can just set it and with it opt out of any stabbing-anti-stabbing wars and politics.
I fully understand that it's absence wouldn't meant that people won't get stabbed, but it would save time and mental space of all people like me who really don't care about being stabbed or not.
Honestly if anything, I'd like to be stabbed more.
By analogy to current situation about tracking ... Ad companies know too much about me? I think they know too little. For example for half a year they still haven't figured out that I know barely any words in German and are serving me German advertisements all the time just because I happen to be living in Germany currently.
> it’s fucking depressing when even the fucking bare minimum form of regulation is followed to the letter and no more
For Microsoft this also rings true from the opposite direction. Any specification that Microsoft technically abides is implemented in an egregiously dark way (at least for anything consumable at an enterprise level).
They go to great lengths to exercise every bit of leeway permitted by the spec, even when it doesn't make economical sense, because what are you gonna do about it? Vote with your wallet? Against the vendor that runs all your workstations and manages your directories and databases and deployments and authentication and authorization and business intelligence and and and?
No, you're gonna accommodate their absurd counter-requirements because what other choice do you have? The decision then becomes:
1. branch your code to shit with `vendor == microsoft` clauses
2. branch your project/architecture to shit and effectively maintain a Microsoft version alongside the "normal" core version
3. use Microsoft's bespoke library that solves the problem they created
A project that selects option 3 will face the least resistance integrating with Microsoft products, but will also become beholden to arbitrary rules that complicate integration with every other vendor who benevolently implements the standard.
The authors are [redacted] Google. Are they actually Google? They seem to unironically complain about what Microsoft is doing, but Google is guilty of the same.
I think the author's entire point is that self-regulation by the big boys is not working very well.
The actual author is one person, user '5225225'
Apparently they identify as a robot, not a person.
Dude come on
> it’s fucking depressing when even the fucking bare minimum form of regulation is followed to the letter and no more, because every company out there fucking hates you and would sell you out to make a bit more money if they legally could. and even if they couldn’t, who’s going to stop them?
Certainly not any government. If you think the EU's regulation are of any help to the consumer you are gravely mistaken. The EU is quickly becoming a fucking nightmare to live in. "The more corrupt the state, the more numerous the laws". The meme that goes around atm is that while Elon Musk created Tesla, SpaceX and Starlink the EU managed to get everybody to now have plastic bottles who do not close properly anymore: due to some regulation that mandates that bottle caps must hold to the bottle, weird only partially-functional mechanism have been created and it's a PITA to either drink from a plastic bottle or, worse, try to lay it horizontally in a fridge.
That's what the EU is: probably that some politicians or bureaucrats with enough brain cells to recognize a bottle cap on the ground thought "I've got an idea to make the EU better, let's mandate every bottle to have a cap that cannot be separated from the bottle".
As a result you lay horizontally a plastic bottle of sugary drink in your fridge (because you've been used to do that for decades) and now all your fridge is sticky due to the bottle leaking.
It's all that is wrong with the EU bureaucrats in one example.
Also hailing the EU as the savior vs Microsoft when our lives becames miserable with EU consent cookie popups virtually everywhere is a bit thick.
So the EU is bad because you can't learn to screw on a bottle cap that's different than before?
I am not joining the whole “EU is bad argument”, however the new caps are very annoying, especially the limited benefits they provide.
The non-profit Plastic Deposit Organisation, responsible for managing Denmark's container deposit system, estimates that this change alone will enable them to collect and reuse approximately 70 million additional bottle caps annually. This equates to 140 tonnes of plastic each year.
https://www.emballagefokus.dk/goer-noget-uden-at-goere-noget...
This assumes a 90% cap return rate before (which seems low) and a 100% return rate afterwards (not in Denmark myself but I can't be the only one to have returned zero of the new caps vs almost 100% before).
The whole thing smells like a made up issue concocted by some company wanting to sell their bottle cap solution.
Honestly yeah. The EU is run entirely by PMC people who don't understand or care about the effect on lower-class and frankly less intelligent people's lives.
> while Elon Musk created Tesla, SpaceX and Starlink the EU [created] some regulation that mandates that bottle caps must hold to the bottle
At least the EU made something useful
> The meme that goes around atm is that while Elon Musk created Tesla, SpaceX and Starlink the EU managed to get everybody to now have plastic bottles who do not close properly anymore: due to some regulation that mandates that bottle caps must hold to the bottle, weird only partially-functional mechanism have been created and it's a PITA to either drink from a plastic bottle or, worse, try to lay it horizontally in a fridge.
I haven't encountered that meme, but if it exists, it's like most memes seem to be: Wrong. The bottle caps work just fine.