You think these websites give a shit about your privacy because you clicked on a div with a "No" in it? Not a chance. It's like asking thieves to promise not to steal from you.
I'm currently at a small ad tech firm and while I can't speak for other outfits, we definitely are extra careful about respecting user consent indicators. Because we are small, it's not easy to do this, because there are many possible ways for users to "reject". This includes situations that merely imply non-consent due to inaction, rather than active non-consent like a reject cookie indicator, or living in a jurisdiction that makes non-consent automatic (as it should be!). Many of the "reject cookies" tools are especially useful because even if a website doesn't respect your choice (and therefore tries to send data to us) your browser can still tell us if you are non-consenting. This means it's easier for us to notice non-consent and drop the data as soon as possible, before any logging or analysis can occur.
We do not materially benefit from this in any way, nor do we market it. I am not a spokesperson for my company nor do I want to be publicly identified with it. I'm advocating here because you said "not a chance" but there is a chance.
It's not just that we are worried about some sort of regulatory enforcement, either, although existence of such regulations does help convince the less scrupulous people from pursuing a bad path.
The free internet is built on ads. I still believe in the free internet. I still think we can make it work. I welcome regulation and regulatory enforcement even though it's hard for a small outfit like us, because it reduces the chances that our ad tech has to compete with less scrupulous people. I think we've survived as a small outfit since roughly the dotcom era because we've tried to be good stewards. People wouldn't need uBlock if there was better regulation/enforcement, and companies like mine, who are trying to do the right thing (even as we operate in the loathed ad space), would benefit.
I'm worried about AI on this front because it means in the future your ads will be served up to you out of a black box instead of out in the open where we can all inspect who is trying to get what from us (and block bad parties via eg uBlock), and, to a degree, who is trying to shove what down our throats.
Yes, that's exactly what I'm saying. The industry made us all believe they do, in what began as a differentiator from offline ads, that quickly spiraled into the current day insanity. Browsers have been playing cat and mouse to a degree, but except for the annoying cookie banners that everybody hates, regulation like GDPR is the thing that has restored some small piece of sanity. There should be more and better regulation + enforcement to better align ad tech with the interests of the public.
Just curious, but it sounds like this is the ideal use case for Do Not Track. Do you all use that as a signal to not track/remove nonessential cookies?
Yes, we do treat that as a valid signal. But users still shouldn't use it today anyway, since it has no teeth and many companies will use it as part of a composite identifier. If Do Not Track had more regulatory teeth, I think it might have gone somewhere.
Global Privacy Control (GPC) is the modern alternative, and the mechanism by which California's privacy legislation / CCPA is largely handled from a technical perspective. Unfortunately it is not available by default in Chrome, but it is in eg Firefox / DuckDuckGo browser. Because it has legal teeth, it has more power to give you a tracking free experience even if a company had the technical capability to track you.
It can still help you even if you're not in California because geolocation is not perfect, but it does provide the ability to monetize ads that are tracking free. The threat of enforcement has to be real and continue to be demonstrated, though, or it won't last.
iCloud Private Relay also causes tracking companies a lot of real pain (sort of a mini-Tor where Apple and CloudFlare each have only half of your unlock key), but it's a technical bandaid with a variety of flaws that can break many legitimate things.
Ultimately each situation is one that requires judgement, which is why I think a legislative/judicial answer is the only one that ultimately holds up. GPC allows for a little more nuance than DNT. People care about the intent of respecting "Do Not Track." It some cases it may requirement a judgement about whether or not a company violated that request, not whether it was "technically impossible for the company to violate that request (we thought) but oh oops it was possible...I guess that just means we need to make it harder, the company doing the violating was okay because they worked within the bounds of what was technically possible."
A company that violates this privacy, especially when you've indicated that you do no consent, should have to face penalties. And because we expect some companies to go out of business for violating these rules, we should also make sure that their "data assets" aren't simply transferred to some new company in bankruptcy court when an adverse ruling comes down.
Check your internet bill, it might not be free after all.
I'd very much rather get back to the internet being about connectivity and nothing else. The internet would survive just fine by providing a means to contact authorities, companies and each other, without any of the "content" for which we supposedly need ads to produce
> The free internet is built on ads. I still believe in the free internet.
The internet I remember had free content because mostly individuals wanted to share something. Commercial offers were rare. I would be very happy to go back to that network, with 90% content gone and the remaining 10% provided without an ads driven model. In fact, if it was for me, one could widely ban most advertising also off-net. It is manipulative cancer. At least ban any sort of user tracking and analysis. Yes, this will kill a wide spectrum of offers. I am totally fine with that trade-off. We don’t need it for a well-functioning society. And yeah, look around, we do all sorts of interference with so-called free markets, because history has shown time and time again how horrible it gets when you allow capitalism to roam freely.
> You think these websites give a shit about your privacy because you clicked on a div with a "No" in it
Yes. For a subset of "these websites". Because this is enforced and EU has fined billions already. The fines for doing what you say they do, are steep and a severe risk for many "these websites".
So for websites that are not in that subset, they will still track you regardless of what you click on, so you still need browser-level protections for those websites, and those browser-level protections will also work on the websites that are in that subset, so you still gain nothing by clicking the No.
Yes. But "these websites" will then be prosecuted, their owners cannot enter the EU ever again without the risk of severe penalties, they cannot do business in the EU and can and often will, lose access to many services that do want to stay on the good side the EU (i.e. will see their google ads blocked, their stripe frozen, their hosting closed etc)
Edit: what I'm trying to say is: this "technical" problem has a real and working "solution" that's not technical at all: law and enforcement. Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around. But it makes it very hard for malicious actors to do so and make money.
Yeah but the question is how you, as a user, should best protect yourself. I'm saying clicking the "No" provides no advantage over using a browser that just protects you from tracking by default. Then it doesn't matter whether the website is following the law or whether the EU (where I don't live) will enforce the law or change it in the future or whatever.
> Now, that won't work for all and everything, it never does. There will always be malicious, scammy, malware, criminal and illegal webservices around.
Yeah, exactly. So if I have to protect myself from those websites anyway, I may as well apply the same protections to all websites. Clicking the "No" does nothing for me.
The act of indicating no is frictionless if automated through an extension, and if it turns out orgs are not respecting the action, it'll end up in a class action or other legal event eventually (assuming statute or other regulatory mechanisms exists on the topic). "Porque no los dos?" Strongly agree the browser should still aggressively act in the user's interest and protect them.
(privacy law and how it relates to customer user experience is a component of my work in finance)
I mean sure I guess, do whatever you want. I will always have uBo installed and I prefer to have less software on my machine (fewer things to go wrong), so uBo's list plus Firefox's protections is good enough for me.
> if it turns out orgs are not respecting the action, it'll end up in a class action or other legal event eventually
Yeah I find that list is more trouble than it's worth, because some sites will block interaction until you dismiss the cookie notice, so you get softlocked if the notice is hidden. I assume that's why uBO disables that list by default.
This is incorrect. The GDPR requires affirmative consent before processing user information, hiding is not "affirmative." Additionally, there's been increasing litigation via wiretapping statutes (most notably in California where there's statutory minimums for damages) that pose additional legal risk for companies using analytic cookies w/o affirmative consent.
It should be but it's not.