Most active commenters

    ←back to thread

    Internet's biggest annoyance: Cookie laws should target browsers, not websites

    (nednex.com)
    582 points SweetSoftPillow | 16 comments | 22 Oct 25 12:12 UTC | HN request time: 0.837s | source | bottom
    1. vmaurin ◴[22 Oct 25 12:26 UTC] No.45668002[source]
    Same goes for age verification.

    There was the DNT header, that was a bit to simplistic, but was never implemented https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...

    The thing people need to understand here is that the annoyance is not due to lack of technical solutions, or regulations forcing something. It is explicitly wanted by the industry so they can maximize the consent rate. The browser solution is probably the best technical/user friendly one, but ad tech/data gathering industry won't have any consent. As they control most of the web, they will never do that

    replies(4): >>45668031 #>>45668051 #>>45668121 #>>45668873 #
    2. Animats ◴[22 Oct 25 12:28 UTC] No.45668031[source]
    It was implemented in browsers and ignored by sites. Chrome help says:

    Turn "Do Not Track" on or off

    When you browse the web on computers or Android devices, you can send a request to websites not to collect or track your browsing data. It's turned off by default.

    However, what happens to your data depends on how a website responds to the request. Many websites will still collect and use your browsing data to improve security, provide content, services, ads and recommendations on their websites, and generate reporting statistics.

    Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. Chrome doesn't provide details of which websites and web services respect Do Not Track requests and how websites interpret them.[1]

    About the best we have browser side is a mode where all cookies are cleared at browser exit.

    [1] https://support.google.com/chrome/answer/2790761

    replies(3): >>45668515 #>>45668519 #>>45669116 #
    3. cyanydeez ◴[22 Oct 25 12:30 UTC] No.45668051[source]
    At this point browsers should become publicly owned. Theres zero benefit in private ownership. Its a utility and nows the time to accept that.
    replies(2): >>45668113 #>>45668238 #
    4. LunaSea ◴[22 Oct 25 12:36 UTC] No.45668113[source]
    Utilities are not public either anymore in most western countries.
    5. p_l ◴[22 Oct 25 12:36 UTC] No.45668121[source]
    Fun fact - if you handle DNT properly, you don't need to show the consent screen... because you're not doing anything requiring said consent.
    replies(2): >>45668507 #>>45668948 #
    6. ants_everywhere ◴[22 Oct 25 12:46 UTC] No.45668238[source]
    [flagged]
    7. jeroenhd ◴[22 Oct 25 13:07 UTC] No.45668507[source]
    I believe Medium's DNT implementation showed a little confirmation button on embedded Youtube players. That's the kind of consent screen you may still need with proper DNT handling.

    None of those cookie popups, though. That's all malicious compliance.

    8. Semaphor ◴[22 Oct 25 13:07 UTC] No.45668515[source]
    > About the best we have browser side is a mode where all cookies are cleared at browser exit.

    No. The best we have are adblockers and scripts like consent-o-matic.

    Clearing cookies does mostly clear cookies, tracking goes far beyond that. Clearing cookies has always been a red herring enabling adtech submarines like "I don’t care about cookies".

    replies(1): >>45675732 #
    9. djoldman ◴[22 Oct 25 13:07 UTC] No.45668519[source]
    In chrome, saving anything to your device can be blocked completely:

    chrome://settings/content/siteData

    Here's an extension to block at a per-site granularity (despite it saying cookies, it blocks it all including local storage):

    https://chromewebstore.google.com/detail/disable-cookies/lkm...

    10. disruptiveink ◴[22 Oct 25 13:30 UTC] No.45668873[source]
    Correct. Age verification and privacy consents belong on the browser. The issue is that on the browser, things work a bit too well (remember https://en.wikipedia.org/wiki/P3P ?), so the big players are incentivized to ignore completely the browser-based mechanisms and say/do nothing whenever they see lawmakers going on a dumb direction (risking fines is a reasonable price to pay in order to kill adoption of an actual browser/OS based control that would cause a dent to their tracking operations) that puts the onus on individual website operators.
    11. voxic11 ◴[22 Oct 25 13:36 UTC] No.45668948[source]
    I don't think this is true. DNT being absent or set to consenting is not enough to infer the user has given specific and informed consent under the GDPR.

    > Explicit consent: Under the GDPR and similar laws, consent must be specific, informed, and an unambiguous, affirmative action from the user. Consent cannot be assumed by a user's continued browsing or inaction, which is what DNT would require.

    replies(1): >>45671129 #
    12. pessimizer ◴[22 Oct 25 13:48 UTC] No.45669116[source]
    That's not an implementation. That's a request to sites that you visit to comply willingly. An implementation would be defensive.

    It's what you would do if you had the crazy idea that a browser should be a client for the user, and only a client for the user. It should do nothing that a user wouldn't want done. The measure of a client's functionality is indistinguishable from the ability of the user to make it conform to the their desires.

    replies(1): >>45671914 #
    13. p_l ◴[22 Oct 25 15:59 UTC] No.45671129{3}[source]
    if DNT is absent you could show GDPR-compliant consent screen (ofc, it would still need to be actually compliant, i.e. with "reject all" button front and center)
    14. TheCoelacanth ◴[22 Oct 25 16:53 UTC] No.45671914{3}[source]
    It's not realistic to completely prevent tracking solely on the client-side. Every time that you interact with a server, that's an opportunity to track you. You can't prevent unless you just completely stop interacting with the server.
    15. zenmac ◴[22 Oct 25 22:04 UTC] No.45675732{3}[source]
    Didn't manifest v3 kinda voided all that for chrome based browser? Even brave's time in manifest v2 is timed. For that reason have switched to Firefox.
    replies(1): >>45678112 #
    16. Semaphor ◴[23 Oct 25 04:14 UTC] No.45678112{4}[source]
    Use an adtech browser, win adtech prices.