Internet's biggest annoyance: Cookie laws should target browsers, not websites

Laws need to be written well to achieve good outcomes. If the law allows for malicious compliance, it is a badly written law.

The sites are just trying to maximize profit, as anyone could predict. So write better laws.

Otherwise how can we explain “please see our privacy policy and send us a sneaker email to opt out” kind of tracking options.

It's impossible to write things correctly the first or final time and especially with the interpretation of words changing over time it doesn't matter if you could.

So maybe “malicious compliance” is a misnomer. We should just call it "illegal dark pattern".

Imagine you write a program to do something and it doesn't work at all as expected and at the same time it causes endless annoyance to users.

A law is very similar to a program. It's software for the society. It didn't work and the authors are blaming everybody except themselves.

But we see how some companies cough cough Apple cough throw massive hissy fits and tries to find the most minuscule opening on the law

Example: In cycling, they banned narrow handlebars. There's an aero advantage, but it was seen as a safety problem. So cyclists canted their brake hoods way inside, rested their hands on the brake hoods, and got an aero advantage.

And now there's a rule about brake hoods. Laws are meant only be living things that change as society changes, and also change to patch what we might call "exploits." You are perfectly correct: It's never one and done, it's an ongoing process.

Also, please remember that in Europe there is no such thing as "the spirit of the law versus the letter of the law." The intent of the law IS the law.

People always say this, but as far as I can tell it's not true.

> […] the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.

https://www.politico.eu/article/europe-cookie-law-messed-up-...

If people care about privacy, then over time they will migrate to companies and services that respect their privacy. Government laws are broad based policies that always lack nuance. This is why it is better to let markets drive better outcomes organically.

To quote Article 4(11) – Definition of Consent

> ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Meaning if you force users into pressing a button or let them scroll through 1000 no options, with one easy yes option, you have not collected their free consent. Congrats you broke the law.

Meaning if you just have them click yes, but not informed them about the harmful data collection you did not collect free consent.

The law is pretty clear on that.

It's the same issue as with most EU-wide issues, where there's always countries competing with each other at the benefit of others.

Also GDPR is not exclusive to browsers or internet, it's applicable universally, for both online and offline businesses and processes, which is why it can't and doesn't prescribe exact technical implementation details.

It took just a pair of ruling that made it clear this illegal pattern was going to actually be cracked down upon, and now these popups are just a small annoyance rather than the absolutely enraging trap that they were at first.

Of course I still wish they were unnecessary, but they serve as a reminder that these websites are still trying to prey upon their visitors.

We’re also seeing tracking despite the lack of user consent as well. This could be a fluke but when I make anonymous search on website and switch to another, I’m seeing the product I have just searched in the ads. With all the tracking disabled I mind you.

What are you referring to here? Where in the law is this allowed?

Disagree. The popup is the enraging problem. It's not a small annoyance. I click them multiple times every single day and it's ludicrous.

I don't need a "reminder". The last thing I want is some "reminder" day after day after day. I want a law that protects consumers in the first place.

https://en.wikipedia.org/wiki/Dodge_v._Ford_Motor_Co.

That way, a misplaced comma or a wonky sentence doesn't allow for easy loopholes that need tighter laws to fix issues.

Now law text will work forever, but this format makes for a very solid foundation.

Then don't visit webpages that do illegal things and are hostile to their users.

> I want a law that protects consumers in the first place.

This is that law.

There is no malicious compliance here, just breaking the law. So if it is the problem of laws that they are broken then according to you all laws are 100% the problem. That stance, IMO, is beyond stupid.

https://www.heise.de/en/news/Administrative-court-Cookie-ban...

It isn't that this can't be enforced, it just lagged because of the size and changes that this law brought.

> Also, this is a problem that naturally solves itself over time, so no law was ever needed.

How does it solve itself?

> The UX of the web degraded for everyone after GDPR was passed and that I think everyone can agree on.

Due to website operators doing illegal things.

> If people care about privacy, then over time they will migrate to companies and services that respect their privacy.

Why would people care about something they don't know about?

What is the unintended consequence of GDPR?

Which descriptor do you think is unambiguously violated by making it easier to provide consent than withhold it? To my eyes, both 'freely' and 'informed' are plausibly upheld.

It would be very straightforward to specify that consent and withholding must be equally accessible in the interface, instead of splitting hairs about definitions of "freely given". This is what people refer to when they say the law is poorly written

I think lots of courts claim this, and none actually do.

In any case, there is always a difference between the “intent” of a large and diverse body of politicians, and the actual text of a law. Any practical legal system must take it into consideration.

- The law allows things it shouldn't, or

- The law disallows things it should

And the later gets swept under the rug as "we won't enforce it that way"... and then it winds up getting enforced exactly that way because someone has an agenda, and this is a hammer.

First order of blame goes to the national DPAs for not carrying out their duties.

Second order of blame goes go to whichever EU authority is responsible for penalizing EU member states for non-compliance. There should be serious consequences for non-enforcement like frozen funding. (I don't know what the actual legal process is)

> If people care about privacy, then over time they will migrate to companies and services that respect their privacy.

This is just a libertarian fairy-tale that is designed to sound sensible and rational while being malicious in practice. It exploits information asymmetry, human ignorance, network effects, and our general inability to accurately assess long-term consequences, in order to funnel profits into the hands of the most unscrupulous businesses.

In other words, there's a reason why we have to have regulations that protect people from themselves (and protect well-being of society as a whole).

If it wasn't, the ghoulish masquerade of Corporate Social Responsibility wouldn't be a thing - it in itself a response to Milton Friedman's 1970 article “The Social Responsibility of Business Is to Increase Its Profits” which argued that corporate executives are agents of shareholders and should focus solely on maximizing returns, not social responsibility.

> Art 7(3) It shall be as easy to withdraw as to give consent. [0]

But legal interpretation of GP I believe is reaching the consensus that that phrasing too is broken by that implementation:

> Free and informed consent (Art. 7 GDPR): Consent is valid only if it is freely given. When the option to decline is hidden or unnecessarily cumbersome, the user's choice is affected and consent is no longer "free." [1]

[0] https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...

[1] https://www.ictrechtswijzer.be/en/complaint-about-cookies-wi...

883 total cases

468 pending cases

€ 2B billion fines imposed

Or, alternatively, you _could_ enforce the law but the resources to do so (people) are no longer available. This happens a lot in the US when the current admin doesn't feel it's important, so doesn't fund the enforcement agencies. And is particularly true more of codes/regulations (I get them confused) than of laws.

Burwell v. Hobby Lobby Stores, Inc. - https://www.law.cornell.edu/supremecourt/text/13-354

> While it is certainly true that a central objective of for-profit corporations is to make money, modern corporate law does not require for-profit corporations to pursue profit at the expense of everything else, and many do not do so. For-profit corporations, with ownership approval, support a wide variety of charitable causes, and it is not at all uncommon for such corporations to further humanitarian and other altruistic objectives. Many examples come readily to mind. So long as its owners agree, a for-profit corporation may take costly pollution-control and energy-conservation measures that go beyond what the law requires. A for-profit corporation that operates facilities in other countries may exceed the requirements of local law regarding working conditions and benefits.

——

The best I understand it, what this ultimately means is that, yes; if the shareholders hold a vote to say "you need to focus on profits over X thing you're doing now/planning to do", you have to do that, but absent a specific shareholder mandate, you are not in any way obligated to seek profit over all else.

Now the EU just needs to turn it into an actual liability for corporations. Otherwise it will remain as an additional bit of entropy for tracking.

The vast majority of laws are never enforced, so in practice this isn't as absurd as it sounds. It would make people consider what laws they spend time writing.

Ford lost this case because he overtly admitted that he wasn't pursuing profit and because he was deliberately trying to prevent minority shareholders from getting money to start up a rival car company.

If he had just made some vague claim that what he was doing was in the long-term interest of shareholders, he probably would have gotten away with it.

How about you just enforce consumer protections for everyone? Because that is clearly not the law.

--------

[1] Here “legitimate interest” essentially means “we see your preference not to be stalked, but we want to so we are going to make it that bit more faf to opt out, because fuck you and the privacy we lie about caring about”.

Services should be denied the capacity to track and fingerprint, not just told about a preference against it.

DNT will always be an "evil bit", regardless of any law behind it.

The story that advertisers don't know what users selected and that somehow allows them to track the user is disingenous.

This is a fiction and just an excuse conservative justices use to make conservative rulings when they don't like a law.

They are perfectly fine to abandon the text of the law whenever it doesn't move forward a conservative agenda. The shining example of this is the voting rights act. Something never amended or repealed by congress but slowly dismantled by the court counter to both the intent and the text of the law.

And if you don't believe me, I suggest reading over the Shelby County v. Holder [1] decision because they put it in black and white.

> Nearly 50 years later, they are still in effect; indeed, they have been made more stringent, and are now scheduled to last until 2031. There is no denying, however, that the conditions that originally justified these measures no longer characterize voting in the covered jurisdictions.

IE "We know the law says this, and it's still supposed to be in effect. But we don't like what it does so we are canceling it based on census data".

[1] https://supreme.justia.com/cases/federal/us/570/529/

As that will erode most worth derived from tracking, sensible operators will decide to stop annoying users and just ditch the tracking altogether. Or so I hope. I wouldn't know, as Brave does a pretty good job of hiding cookie banners in the mean-time.

More generally, I actually did organically notice the massive increase in "Reject all" buttons and found out about these court decisions myself some time ago. Certainly a small win for the internet, although it should not have taken 9 years(!) from the implementation of GDPR for these violations of it to be cracked down on.

Programming your computer to automatically click "yes" sounds like affirmatively giving consent to all popups to me. The standard for consent here is lower than for things like sex.

If you read GDPR in it's complete form [1], there are 173 paragraphs before the actual law begins at CHAPTER I, almost half way down the page. Those are the reasons why the law was created, what's it trying to achieve, how it is intended to work, responsibilities of govenrnments, etc.

The EU provided us the spirit of the law - in writing.

[1] https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng

They obviously looked at the alternatives and decided that the benefits of cookies or the cost of compliance is bad enough to allow for this crappy experience. And they all pretty much decided across the board.

So what problem is this cookie crap trying to solve? No one asked for it, no one wants to comply and now we're just making the web worse off as a result.

Law making is a way of predicting the future and setting up incentives to achieve a goal. You need to foresee what can go wrong, talk to incumbents and anticipate the response. It's a technical matter and this has been a debacle.

It's useless to put the blame in the advertisers. Even if they're evil, that doesn't make the situation any better for the public.

Unfortunately, I don't actually think people realize the law is on their side here. My girlfriend never clicked "Reject All" until I told her to because she thought something wouldn't work if she did that!

We put a lot of safeguards, exception handling and all kind of measures to control errors.

I don't know if they'll finally find a way to control the spying, but how many years have passed since they made the law?

> not illegal to annoy the user on every page load

This looks like a contradiction to me.

Nope. Murder is an action after which the victim can not make any more actions. It would be like saying "don't go to the bakery where they spit in your food and slap you in the face every time you order something". You are enraged by the behavior of the websites you visit and you still keep going there every day. Either you are a masochist or "voting with your wallet" or, in this instance with you attention, doesn't really work. Why do you give your attention to those that treat you like shit?

> How about you just enforce consumer protections for everyone?

They are. What gave you the idea they aren't? Because some pages still behave illegally? You understand that murder still happens?

> Because that is clearly not the law.

Do you know anything about GDPR? Because it seems that you do not. Could you point to the text of the regulation that you object to? I'll wait but I'm sure I'll be waiting for godot here.

please read the second half of the clause, kthx

This is a critical failure point which should get more attention. Laws (and regulations) are like computer code in some key ways. Early computer code was written assuming it would be run by experts in trusted, benign environments that were relatively fixed in size and complexity. Our legislative law-making structures were created with similar assumptions. As the world changed, code changed but law-making structures didn't.

At a minimum, while being drafted laws should be subject to independent red-teaming and penetration testing to A) Assess their ability to actually accomplish their stated intent over time in the real world, and B) Surface likely unintended perverse consequences. Of course, that still wouldn't solve the issue of intentional weakening of laws with vague terminology, incomplete scoping, inserting loopholes, exceptions, etc by special-interest-driven legislators.

Sadly, these days I think intentional nerfing of laws during drafting is the biggest cause of 'bad laws'. But at least the red-teaming concept might prevent some unintended bugs on top of lobbyist-driven nerfing.

How else should we view them? Walks like a duck, quacks like a duck, probably a duck.

Nobody justified the behavior, only stated that corporations have proven over time to generally seek profits over all else. They provide legal cover to bad-faith actions. That wasn't the original intention, but it is absolutely the current state of the world.

A "loophole" is only a "loophole" to someone who agrees with yours. And I say it as someone who agrees in this particular instance.

It seems like web browsers were developed in a pre-surveillance capitalism world

Literally what a corporation is.

This is capitalism mate. People will do basically anything with the "for the company" excuse. If they don't, they will be out of a job and eventually starve.

Laws are the only things that can limit corporations. Without those we'd still have children working, 14 hour shifts and no weekends.

Whereas you get publicly-traded companies and the primary shareholders are investment funds, whose managers get bonuses based on short-term results and who may not be in the same job or having the fund hold the same companies in as little as a year from now. So their incentive is to have companies squeeze customers for short-term gains and then choose the right time to pawn the shares off on some bag holders who see strong recent numbers and don't realize what that strategy does to the company's long-term prospects.

Isn't this the other way around? If you cite "the spirit of the law" then you're ignoring the text in order to do whatever you want.

Finding a "conservative" judge who does the latter is evidence that the particular judge is hypocrite rather than any argument that ignoring what the law actually says is the right thing to do.

But you also picked kind of a bad example, because that wasn't a case about how to interpret the law, it was about whether the law was unconstitutional.

Investigating murders is enforceable. If law enforcement isn't doing their job then that is a different problem. By virtue of being on the Internet, tracking cookies span many legal jurisdictions (even ones outside of the EU that never agreed to GDPR) and therefore run into all sorts of different legal obstacles. Apples and oranges and all that.

> This is just a libertarian fairy-tale that is designed to sound sensible and rational while being malicious in practice. It exploits information asymmetry, human ignorance, network effects, and our general inability to accurately assess long-term consequences, in order to funnel profits into the hands of the most unscrupulous businesses.

No, it allows people to be adults and vote with their feet. We do this all the time in many other areas and it works. (Exactly what the free market is based on) This is not to say that there shouldn't be any privacy and anti-spam laws, but when it comes to allowing marketing/advertising the trade-off has been well understood for some time. We are all funneling a lot of profits into companies that provide software to serve up the cookie banner warnings now and the advertisers still end up getting lots of people's data. A poorly designed law is a bad law. Legally requiring consent upfront and the ramifications of that decision should have been thought through much more thoroughly.

How long have these laws been out and we are still dealing with these issues. They seem to have gotten worse, not better.

> How does it solve itself?

People build services that don't track others and people pay for those services. It's pretty simple.

> Due to website operators doing illegal things.

If it was so illegal it would be stopped, but apparently businesses are indeed complying with the law.

> Why would people care about something they don't know about?

It's well known that cookies track you across sites and some people choose not to use those sites. The sites are required to disclose this information, so users are definitely aware.

One way to do that is to interpret the law strictly according to the text, or in the case of ambiguity to choose the interpretation that benefits the accused rather than the government. Then you could just read the law to know if it prohibits what you want to do, because unless it unambiguously does, then it doesn't. And then if the government doesn't like it once they see someone doing that, it's up to them to change the law.

Another is to give people a way to get clarification ahead of time. This is called advisory opinions and governments generally hate them because as soon as you allow it, the government is going to be absolutely swamped with requests for clarification because everybody wants to pre-clear everything they're going to do rather than take the risk of getting punished for doing something without clearing it. But in order for this to work, getting a clarification has to be cheap, because "pay a million dollars for an advisory opinion to avoid the risk of a million dollar fine" isn't a real solution to the problem of people getting punished when the law is unclear.

So the first one is actually better, the only "problem" with it is that you need the government to be paying attention and promptly rework the law when it isn't having the intended effect, otherwise you'll have people complaining about it because in the meantime there is a dumb law on the books. But if your government is bad at making good laws then you're going to have a bad time no matter what.

Otherwise, the purpose of the law is what it does -- mandate annoying tracking popups on every website.

The intent was nice, but the ask from the article is essentially asking browsers to implement uBlock Origin built-in and expect Google to just comply without pushback.

Unlike to happen because the ones that got us the current law, the ones that make the browsers, and the ones that make money from the ads (cookies == ads) are all the same companies.

Asking browsers to implement uBlock Origin natively tho...

Sure, some of you are just so good and nice that you're going to spend all of your time trying to better your fellow man no matter the incentives. The rest of us are spending our time and energy trying to better ourselves. It's better for everyone if the rules of the game are set up so those actions create positive externalities.

On the other hand, there is the issue how the intent of laws (which were often passed by highly incompetent politicians, in particular when IT topics are involved) is to be interpreted.

A partial solution to this problem is: write laws in a way that need a lot less clarification because there is rarely a need for it because the laws are thought out so well.

But in the absence of that? I appreciate at least being asked for my consent so that I can press the "I do not consent to being tracked" button. It shouldn't exist in the first place, but since these websites are unwilling to just not spy on people, this seems like the next best thing.

(and frankly, the number of users that actively want to consent to this is essentially zero)

I always constent to cookie popups so the number can not be 0.

But yes, I think your take is more realistic as any measure that allows rapid changes also allows willful politics to rapidly make a mess.

Its not hard when it comes to any website of note, large companies can't easily hide what their computers are doing really, if they have code that tracks people it is gonna be found.

Now I'm left wondering why enforcement was supposedly so hard. Seems like shooting fish in a barrel, especially given that some very large websites were in clear violation of this article

Yes, that is precisely the problem with GDPR, too. Enforcement is supposed to be carried out by national Data Protection Authorities but they just don't investigate. I've reported some clear cut violations and they never followed up on anything.

Swedish one is even being taken to court for completely neglecting their duties: https://noyb.eu/en/noyb-takes-swedish-dpa-court-refusing-pro...

> By virtue of being on the Internet, tracking cookies span many legal jurisdictions (even ones outside of the EU that never agreed to GDPR) and therefore run into all sorts of different legal obstacles.

It doesn't matter. It's irrelevant to the general enforcement issue. Most DPAs seem to be failing to enforce even the simplest of cases. Let's chat about the edge cases and jurisdiction when the clear cut cases are being taken care of reliably.

Definitely the spirit of it, though some claim not the letter or it due to loopholes.

> The decline button means decline all.

It certainly should, but I never trust it does (with other dark patterns on show I'm all out of benefit-of-the-doubt) and go into to "details" to look for objection toggles. Not that I particularly trust those anyway, but that is a different niggle!

Who are "they"? The law hasn't changed, it's enforcement that is changing, albeit very slowly.

There are so many institutions that can be rightfully blamed - chiefly the DPAs and the national governments, but your continued insistence on blaming the lawmakers makes no sense. The law is clear, it's just not being enforced.

Of course advertisers deserve all this blame too, but their blame is irrelevant when discussing enforcement. I don't expect them to stop any more than I expect a serial killer to turn themselves in. This is still a failure of the institutions.

The extension I use is called Ghostery and it also claims to block other tracking.

No, they have gotten better. Earlier reject all was barely seen on the internet. Now it is on the majority of places or at least in much more places. How is that getting worse? Can you please explain how it has gotten worse or why you think it has gotten worse?

> People build services that don't track others and people pay for those services. It's pretty simple.

How would an average individual know that a service is tracking them if the service doesn't need their consent for it?

> If it was so illegal it would be stopped, but apparently businesses are indeed complying with the law.

GDPR art. 7.3:

"The data subject shall have the right to withdraw his or her consent at any time. 2The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 3Prior to giving consent, the data subject shall be informed thereof. 4It shall be as easy to withdraw as to give consent."

So the law states that it must be as easy to reject cookies as to accept. That means that it is illegal to hide reject all.

In the parent post of this thread there is even a link about a court case:

https://www.techspot.com/news/108043-german-court-takes-stan...

So has your opinion with this information changed on who is to blame for the bad UX? If not, why not?

> It's well known that cookies track you across sites and some people choose not to use those sites. The sites are required to disclose this information, so users are definitely aware.

Maybe now, because of GDPR forcing site operators for asking consent to being tracked. But you said that it would happen organically without GDPR. I'm confused, even you, in the last sentence say that sites are required to disclose information but that is because of GDPR. It isn't the market somehow reaching that point organically. So which is it because you seem to agree that GDPR is needed but at the same time you are saying that it isn't needed and the market would sort it out. I'm really confused now.

Not doing that is a civic duty that I expect from every politician who wants to be considered to be more trustworthy than a child molester who has relapsed several times.

first case was around 2018-2019 and then it took some time for the cookie banner consent thing to percolate through the courts. (the Hungarian data protection agency already issued a ~3000 EUR fine in 2018-08 and cited the GDPR. and the Hungarian DPA cites this 2019 EU court case which is explicitly about cookie consent [1])

and according to this tracker - https://noyb.eu/en - there are 2B fines already imposed and (883 total cases and still 468 pending)

[1] https://curia.europa.eu/juris/document/document.jsf?text=&do...

and even if the law somehow becomes a perfect ideal filter for separating good from bad ... its enforcement will run into the problem of false positives and negatives as long as it deals with messy real world events and their various imperfect impressions found in whatever evidence is collected in a case.

well, of course a more competent electorate and politicians would be nice anyway, but now we run into the problem of competence in the eyes of who?

*sigh*

Once again; the goal of the GDPR is to give users control of their personal data. There are (believe it or not) legitimate reasons why somebody might want to be tracked or allow their personal data to be collected; this is perfectly fine, provided its done fairly and the user gives their explicit opt-in consent.

This shouldn't be hard to understand.